SQL INJECTION

10/16/2004

SQL injection is a technique for gaining access to web sites and possibly to other public resources. It can be attempted wherever user input is used and may work if the user input is sent to a database using the common database handling language SQL. SQL injection may work with Logins, Passwords, Form entries, and even some URLs.

The actual injected SQL may vary. One example would be typing 'a' or 1=1 -- for a password. Just possibly the resulting SQL to the authentication data base may be legal and may return a value of true because "1=1" is certainly true. There's a bit more to it than this description. Various alternative forms might work even if the above fails because it is used in every example on the Internal and thus may actually have been tested.

In general SQL injection will be used by sophisticated attackers trying to compromise a corporate server rather than by scripters staging mass attacks on user PCs.

Return To Index Copyright 1994-2002 by Donald Kenney.