SQL Injection Attack
SQL Injection is an attack technique used to exploit web sites by altering backend SQL Statements through manipulating application input. It is a technique that takes advantage of non-validated user input data to inject SQL Statements dynamically into the existing ones for execution, and hence, poses a severe security threat to the supposedly secure systems. If attacker can get through some of the system stored procedures and some database server functions, then not only they can steal data from the databases, but also modify and delete it.
Some Examples of SQL Injection attack:
Example 1:
If there is a form which gets value from a Form.
If the form looks like:
Enter Product ID: 124 OR 2=2
Then the corresponding SQL Statement for that will be
select * from products where ProductId = 124 OR 2=2
This statement will always return a Value since 2=2 is always true.
Example 2:
If there is a login validation form and a user inputs like this then,
Login: ‘OR”=’
Password: ‘OR”=’
then the corresponding SQL statement will be
Select IsAuthorized FROM Users where Login = ' ' OR"=" AND Password = ' ' OR"="
Read more…
