Wikipedia: “SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.”Read more…
Microsoft Corp: “SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.”Read more…
I wont be explaining much over here as this is just introduction to SQL Strings not a Tutorial [:)].
So by reading the above excerpts you might have got the idea of what a SQL Injection is. SQL strings are the malicious codes which are used for hacking into sites with such vulnerability. What a hacker does is:
- Searches sites which have SQL vulnearabilities.
- Once he’s done with it then comes the SQL Strings. He gets a list of strings or makes them on his own and then tries the strigs one-by-one. It is time consuming so a programmer can make a app for doing this job, just like cracking softwares. An example for a string would be ‘ or 1=1, anypassword
- If he’s successful he would get into the Administration of the site. From there he can edit the full site and its contents.