Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

What is a SQL Injection Attack?

By Michael Linn

Users of computer systems and visitors to websites are familiar with authenticating their identity, or proving, "they are who they say they are," by entering their Username and Password.

What actually happens when you enter text into the Username and Password fields of a login screen is that the text is usually inserted or encapsulated into a SQL command. This command checks the data you've entered against the information stored in the database, such as user names and their respective passwords. If your input matches what is stored in the database then you are granted access to the system. If not, you get an error message and a chance to re-enter the correct information or you are refused entirely.

Databases are at the core of a modern organization's computer systems because they allow you to control your business processes. They store data needed to deliver specific content to visitors, customers, suppliers, and employees. User credentials, financials, payment information, and company statistics may all reside within a database that can be accessed by legitimate users and unfortunately attackers as well. SQL or Structured Query Language is the computer language that allows you to store, manipulate, and retrieve data stored in the database

SQL injection is the exploitation of a website or computer system that is caused by the processing of invalid data that is entered into the form fields by a malicious user. SQL injection can be used by an attacker to introduce (or "inject") code into a computer program to change the course of execution in order to access and manipulate the database behind the site, system or application.

SQL Injection vulnerabilities arise because the fields available for user input allow SQL statements to pass through to the database directly in order to process data and user requests. If the input is not filtered properly, web applications may allow SQL commands that enable hackers to view unauthorized information from the database or even wipe it out.

The attack takes advantage of improper coding of web-based applications and computer networks that incorporates features that deliver dynamic content such as:

Login pages
Customer support pages
Product request forms
Feedback forms
Search pages
Shopping carts

When the legitimate user submits his details, a SQL query is generated from these details and submitted to the database for verification. Using SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the form barrier and seeing what lies behind it.

Many times all an attacker needs to perform a SQL Injection hacking attack is a web browser, knowledge of SQL queries, and creativity to guess important table and field names.

A simple illustration of a SQL injection attack goes like this; an attacker attempts compromise a system that they have no access to by entering code instead of their credentials. So when the attacker is prompted to enter their Username and Password he enters codes such as 'x'='x'. And depending how the system's software is written, this command will be True because x always equal x, so the Username and Password combination will always be True or match!

Once an attacker realizes that a system is vulnerable to SQL Injection, he is able to inject SQL Commands through the input field. This allows the attacker to execute any SQL command on the database, including modifying, copying, and deleting data.

The author is a computer security professional with experience protecting small business and home networks. He also teaches the basics of computer network security at 365 Computer Security Training where he blogs regularly and creates video training and educational materials related to information security. Learn more at 365ComputerSecurityTraining.com [parked domain].

More Network Security Articles:
• Implementing a Secure Password Policy
• What is Network AAA (Authentication, Authorization, and Accounting)?
• Handling Rogue Access Points
• Prevent Hacking with Password-Cracking Countermeasures
• Wireless Network Security
• What is Cross Site Scripting?
• Public Key Infrastructure
• Wireless Network Security - The Basics of Securing a Wireless LAN
• Avoid Hacks by Rogue Wireless Devices
• Firewall Rules
Menu - More
Network Security

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro


Computer Networking Sections

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2024 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268