Welcome to Bucaro TecHelp!

Bucaro TecHelp
Maintain Your Computer and Use it More Effectively
to Design a Web Site and Make Money on the Web

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

Victims of Sandy Hook

Stop the Slaughter of Innocents. Congress is bought and paid for by gun lunatics and gun promotion groups. If you want to live in a safe America, help buy Congress back for America. Send a donation to Mayors Against Illegal Guns, 909 Third Avenue, 15th Floor New York, NY 10022

What is a SQL Injection Attack?

Users of computer systems and visitors to websites are familiar with authenticating their identity, or proving, "they are who they say they are," by entering their Username and Password.

What actually happens when you enter text into the Username and Password fields of a login screen is that the text is usually inserted or encapsulated into a SQL command. This command checks the data you've entered against the information stored in the database, such as user names and their respective passwords. If your input matches what is stored in the database then you are granted access to the system. If not, you get an error message and a chance to re-enter the correct information or you are refused entirely.

Databases are at the core of a modern organization's computer systems because they allow you to control your business processes. They store data needed to deliver specific content to visitors, customers, suppliers, and employees. User credentials, financials, payment information, and company statistics may all reside within a database that can be accessed by legitimate users and unfortunately attackers as well. SQL or Structured Query Language is the computer language that allows you to store, manipulate, and retrieve data stored in the database

SQL injection is the exploitation of a website or computer system that is caused by the processing of invalid data that is entered into the form fields by a malicious user. SQL injection can be used by an attacker to introduce (or "inject") code into a computer program to change the course of execution in order to access and manipulate the database behind the site, system or application.

SQL Injection vulnerabilities arise because the fields available for user input allow SQL statements to pass through to the database directly in order to process data and user requests. If the input is not filtered properly, web applications may allow SQL commands that enable hackers to view unauthorized information from the database or even wipe it out.

The attack takes advantage of improper coding of web-based applications and computer networks that incorporates features that deliver dynamic content such as:

• Login pages
• Customer support pages
• Product request forms
• Feedback forms
• Search pages
• Shopping carts

When the legitimate user submits his details, a SQL query is generated from these details and submitted to the database for verification. Using SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the form barrier and seeing what lies behind it.

Many times all an attacker needs to perform a SQL Injection hacking attack is a web browser, knowledge of SQL queries, and creativity to guess important table and field names.

A simple illustration of a SQL injection attack goes like this; an attacker attempts compromise a system that they have no access to by entering code instead of their credentials. So when the attacker is prompted to enter their Username and Password he enters codes such as 'x'='x'. And depending how the system's software is written, this command will be True because x always equal x, so the Username and Password combination will always be True or match!

Once an attacker realizes that a system is vulnerable to SQL Injection, he is able to inject SQL Commands through the input field. This allows the attacker to execute any SQL command on the database, including modifying, copying, and deleting data.

The author is a computer security professional with experience protecting small business and home networks. He also teaches the basics of computer network security at 365 Computer Security Training where he blogs regularly and creates video training and educational materials related to information security. Learn more at 365ComputerSecurityTraining.com [parked domain].

More Network Security Articles:
• Network Security
• Wireless Network Security
• What is Network AAA (Authentication, Authorization, and Accounting)?
• Data Encryption
• How to Secure Your Wireless Network
• The Basics of Network Security
• How to Become a Professional Ethical Hacker
• How Snort's Stealth TCP Port Scanning Works
• How to Use the Open Source Intrusion Detection System SNORT
• Understanding the Different Classes of Firewalls

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro

Computer Networking Sections

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2017 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268