4 replies to this topic

[5imp7y]

I know very little on the topic. Can someone just explain to me what it is. I tryed to read up on it, not to attempt it, but learn what heppened to this site that i loath. Game hackers got hacked, i just thought it was funny. They spoke of somthing about sql injection and their servers were all sorts of messed up. I dont really want to do it, moreso want to know what it does? hi' 1=1 -- ??

[Afterm4th]

First you need to understand a little bit about databases. SQL is the language of databases.

Creating malformed queries in the database can give you results that you're not supposed to get.



http://en.wikipedia.org/wiki/SQL_injection

A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website to perform operations on the database (often to dump the database content to the attacker) other than the usual operations as intended by the designer. SQL injection is a code injection technique that exploits a security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Using well designed query language interpreters can prevent SQL injections. In the wild, it has been noted that applications experience, on average, 71 attempts an hour.[1] When under direct attack, some applications occasionally came under aggressive attacks and at their peak, were attacked 800-1300 times per hour.[2]

[Powermaniac7]

Wikipedia is so helpful these days, disappointing how schools tell you not to use Wikipedia because anyone can't edit it/type it. So can anyone make a web page stupid teachers.

Hmm this helps answer my exact same question on this subject and is an interesting topic.

That makes me wonder is using Java through the website address bar consider to be SQL injection or can it be used for this hypothetically because there was a modification for Facebook using it when I was on there. Wouldn't go near that site any more though.

[Afterm4th]

Wikipedia is indeed great for technical information. Stuff like history, i wouldn't trust as much. But as far as finding tech info, wiki is great.

what kind of javascript were you putting in the address bar? Sounds like cross site scripting

[TheFunk]

Afterm4th did a good job of explaining SQL Injection, but I'm going to dumb it down some, so that if anyone from the Nubie HQ forums (like myself) decides to tread into the deeper waters they'll have a reference to go by

SQL, as Afterm4th stated is the language of databases. There are several database types out there (MySQL, Oracle, etc) but the important thing to know is that to get information from your database, you or a script you wrote, needs to send a query asking for said info. Injection is the process of taking this query, and malforming it in such a way as to confuse the database and have it hand over more information or perform a different operation than what it was supposed to. This type of attack is especially dangerous because anything from user credentials and passwords to credit-card information and social security numbers could be stored in a single database.

Hopefully this was informative...so anyone have some snow yet?