Join Dotnetcodes DotnetCodes.com is online Discussion Forum for Software professionals . It lets you find friends around the world and Create professional network that share similar interests as you. Get help on ur projects by industry specialists. Also get answers to all ur technical/placement related querries.Get an edge over others.
Already MemberClick here to login
ASP.net MVC Interview Questions Answers Interview Questions
Get Started Developing for Android Apps with Eclipse Articles
Serial Number in SSRS Articles
.Net framework 4.0 Interview Questions Answers Interview Questions
SQL server reporting services Interview Questions (SSRS) part 1 Articles
Whats New in ASP.NET 4.0 Part 2 Articles
How to Print a Crystal Report direct to printer Articles
Difference between Encapsulation and Abstraction Interview Questions
Explaining SDLC -System Development Life Cycle Articles
Html5 interview questions and answers Interview Questions
SharePoint 2010 interview Questions Answers Interview Questions
Infosys Interview Questions Interview Questions
Dynamic Menu using HTML List Tag and CSS in ASP.Net Articles
Populate or bind Dropdownlist in Asp.net using Jquery and Json Articles
ASP.NET MVC Overview Interview Questions
Submit Articles | More Articles..

SQL Injection Introduction

Posted By: rakesh On:7/26/2010 5:07:43 AM in:Articles Category:Best Practices Hits:1087
An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input.

Introduction

SQL Injection is the hacking technique which attempts to pass SQL commands through a web application for execution by the backend database. If not santised properly, web applications may result in SQL Injection attacks that allow hackers to view information from the database and/or even wipe it out.

SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn't properly filter out dangerous characters. This can allow an attacker to not only steal data from your database, but also modify and delete it. Certain SQL Servers such as Microsoft SQL Server contain Stored and Extended Procedures (database server functions). If an attacker can obtain access to these Procedures it may be possible to compromise the entire machine. Attackers commonly insert single qoutes into a URL's query string, or into a forms input field to test for SQL Injection. If an attacker receives an error message like the one below there is a good chance that the application is vulnerable to SQL Injection.

Example of SQL Injection
Take a simple login page where a legitimate user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum.

When the legitimate user submits his details, an SQL query is generated from these details and submitted to the database for verification. If valid, the user is allowed access. In other words, the web application that controls the login page will communicate with the database through a series of planned commands so as to verify the username and password combination. On verification, the legitimate user is granted appropriate access.

Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitised (i.e., made invulnerable) and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to the database.

The technologies vulnerable to this attack are dynamic script languages including ASP, ASP.NET, PHP, JSP, and CGI. All an attacker needs to perform an SQL Injection hacking attack is a web browser, knowledge of SQL queries and creative guess work to important table and field names. 
comments powered by Disqus
User Profile
Rakesh Sinha
Sr. Technical Lead
New Delhi , India
Email :You must Log In to access the contact details.
Latest Post from :rakesh
Response.Redirect vs Server.Transfer
View: 436 | Submitted on: 12/27/2015 2:26:38 PM
The test form is only available for requests from the local machine.
View: 503 | Submitted on: 11/3/2015 9:54:36 PM
Difference between web service WCF and Web API
View: 5712 | Submitted on: 10/28/2015 9:23:51 PM
Which party you want to vote in Delhi assembly elections 2015?
View: 1496 | Submitted on: 12/18/2014 4:19:24 AM
How to Calculate sum of a column in a dataset
View: 1170 | Submitted on: 9/17/2014 6:48:19 AM
Submit Articles | All Post of This User..

All rights reserved to dotnetcodes. Logos, company names used here if any are only for reference purposes and they may be respective owner's right or trademarks.
Best viewed at 1024 x 768 resolution with Internet Explorer 5.0 or Mozila Firefox 3.5 or Google Crome and higher