Posted 16 December 2011 - 03:08 AM
Posted 16 December 2011 - 06:33 PM
Creating malformed queries in the database can give you results that you're not supposed to get.
A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website to perform operations on the database (often to dump the database content to the attacker) other than the usual operations as intended by the designer. SQL injection is a code injection technique that exploits a security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Using well designed query language interpreters can prevent SQL injections. In the wild, it has been noted that applications experience, on average, 71 attempts an hour. When under direct attack, some applications occasionally came under aggressive attacks and at their peak, were attacked 800-1300 times per hour.
Posted 17 December 2011 - 05:47 AM
Hmm this helps answer my exact same question on this subject and is an interesting topic.
That makes me wonder is using Java through the website address bar consider to be SQL injection or can it be used for this hypothetically because there was a modification for Facebook using it when I was on there. Wouldn't go near that site any more though.
Posted 17 December 2011 - 12:57 PM
Posted 18 December 2011 - 01:56 PM
SQL, as Afterm4th stated is the language of databases. There are several database types out there (MySQL, Oracle, etc) but the important thing to know is that to get information from your database, you or a script you wrote, needs to send a query asking for said info. Injection is the process of taking this query, and malforming it in such a way as to confuse the database and have it hand over more information or perform a different operation than what it was supposed to. This type of attack is especially dangerous because anything from user credentials and passwords to credit-card information and social security numbers could be stored in a single database.
Hopefully this was informative...so anyone have some snow yet?
BinRev is hosted by the great people at Lunarpages!