Tech Terminology Demystified – SQL Injection

SQL injection is an attack on a web server which targets the database the web application is talking to. The aim of the attack is to trick the database server to run queries constructed by the attacker. These attacks can even effect database update or delete transactions.

 

 

Login forms on web pages are primary targets of SQL injection attacks. The attacker tries to construct code which will enable him to enter an access controlled area of the website.

 

SQL injection attacks succeed primarily because web applications do not sanitise user input. The most rudimentary example of the attack is the code

 

a’ or ‘x’ = ‘x

 

This code when entered in the username field of a login page could give you access to the password protected area.

 

The consequences of SQL injection attacks include bypass of access controls, loss of confidential data, loss of data integrity etc.

 

Read Wikipedia’s entry on SQL Injection here.