What is SQL Injection?
The question "what is SQL injection" is often asked since it's become such a common exploitation of web coding vulnerabilities.
Well a pre-requisite is some form of database being used by the web site or web application. SQL (Structured Query Language) is programming language which can be used to view, add, modify and delete the content of databases. Whilst the exact SQL syntax will vary slightly between database products, there are many common aspects and relatively few database products used.
SQL injection is the modification of intended code to make some other action occur. Often, this is to add other content, such as links to other sites, to your own web content.
The Web Application Security Consortium Web Security Glossary defines SQL Injection as:
An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input.
There's a nice summary at 2008 - The Year of the SQL Injection Attack by David Rook on BlogInfoSec.com. Even after correcting the vulnerbaility and cleansing contaminated data, SQL injection can also have a longer lasting effect - see SQL Injection Poses Search Engine Optimisation Threat.
Posted on: 13 January 2009 at 10:19 hrs
Comments are filtered automatically and should appear shortly after they been checked.