SQL injection is a technique for gaining access to web sites and possibly to other public resources. It can be attempted wherever user input is used and may work if the user input is sent to a database using the common database handling language SQL. SQL injection may work with Logins, Passwords, Form entries, and even some URLs.
The actual injected SQL may vary. One example would be typing 'a' or 1=1 -- for a password. Just possibly the resulting SQL to the authentication data base may be legal and may return a value of true because "1=1" is certainly true. There's a bit more to it than this description. Various alternative forms might work even if the above fails because it is used in every example on the Internal and thus may actually have been tested.
- If any input area in a form permits SQL injection, that area can probably be used to apply a wide variety of legal SQL statements. Even illegal inputs that produce error messages directly from the server database may contain information that can be used to attack the machine.
- Using various techniques, it may be possible to map, access, and quite possibly alter the database. In some cases, it may be possible to execute external programs -- possibly commands that will completely compromise the server and all programs running on it. SQL injection attacks are a mostly a function of data base and web server software rather than the OS that supports them. Databases on both Windows and Unix OSes may be subject to these attacks.
In general SQL injection will be used by sophisticated attackers trying to compromise a corporate server rather than by scripters staging mass attacks on user PCs.
Return To Index
Copyright 1994-2002 by Donald Kenney.