Welcome to Bucaro TecHelp!

Bucaro TecHelp
Maintain Your Computer and Use it More Effectively
to Design a Web Site and Make Money on the Web

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

Each year 1.5 million shelter animals are euthanized (670,000 dogs and 860,000 cats). Source: ASPCA. The solution is not to shelter unwanted pets, but to SHUT DOWN THE PET MILLS. Anyone who wants a pet will just have to adapt a great pet from a shelter.

Holiday Gift Guide
Holiday Gift Guide

What is a SQL Injection Attack?

Users of computer systems and visitors to websites are familiar with authenticating their identity, or proving, "they are who they say they are," by entering their Username and Password.

What actually happens when you enter text into the Username and Password fields of a login screen is that the text is usually inserted or encapsulated into a SQL command. This command checks the data you've entered against the information stored in the database, such as user names and their respective passwords. If your input matches what is stored in the database then you are granted access to the system. If not, you get an error message and a chance to re-enter the correct information or you are refused entirely.

Databases are at the core of a modern organization's computer systems because they allow you to control your business processes. They store data needed to deliver specific content to visitors, customers, suppliers, and employees. User credentials, financials, payment information, and company statistics may all reside within a database that can be accessed by legitimate users and unfortunately attackers as well. SQL or Structured Query Language is the computer language that allows you to store, manipulate, and retrieve data stored in the database

SQL injection is the exploitation of a website or computer system that is caused by the processing of invalid data that is entered into the form fields by a malicious user. SQL injection can be used by an attacker to introduce (or "inject") code into a computer program to change the course of execution in order to access and manipulate the database behind the site, system or application.

SQL Injection vulnerabilities arise because the fields available for user input allow SQL statements to pass through to the database directly in order to process data and user requests. If the input is not filtered properly, web applications may allow SQL commands that enable hackers to view unauthorized information from the database or even wipe it out.

The attack takes advantage of improper coding of web-based applications and computer networks that incorporates features that deliver dynamic content such as:

• Login pages
• Customer support pages
• Product request forms
• Feedback forms
• Search pages
• Shopping carts

When the legitimate user submits his details, a SQL query is generated from these details and submitted to the database for verification. Using SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the form barrier and seeing what lies behind it.

Many times all an attacker needs to perform a SQL Injection hacking attack is a web browser, knowledge of SQL queries, and creativity to guess important table and field names.

A simple illustration of a SQL injection attack goes like this; an attacker attempts compromise a system that they have no access to by entering code instead of their credentials. So when the attacker is prompted to enter their Username and Password he enters codes such as 'x'='x'. And depending how the system's software is written, this command will be True because x always equal x, so the Username and Password combination will always be True or match!

Once an attacker realizes that a system is vulnerable to SQL Injection, he is able to inject SQL Commands through the input field. This allows the attacker to execute any SQL command on the database, including modifying, copying, and deleting data.


The author is a computer security professional with experience protecting small business and home networks. He also teaches the basics of computer network security at 365 Computer Security Training where he blogs regularly and creates video training and educational materials related to information security. Learn more at 365ComputerSecurityTraining.com [parked domain].

More Network Security Articles:
• Cyber Security Tips for Small and Medium Business (SMB)
• ARP, MAC, Poisoning, and WiFi Security
• Data Encryption
• Network Security by Filtering
• Understanding the Different Classes of Firewalls
• What is a SQL Injection Attack?
• Nessus Network Vulnerability Scanner
• What is Cross Site Scripting?
• Elementary Information Security
• Firewall Rules

RSS Feed RSS Feed


Follow Stephen Bucaro Follow @Stephen Bucaro


Computer Networking Sections

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2017 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268