Daily Cup of Tech

With so many online applications becoming critical for many businesses, it is important that they be tested for SQL-injection vulnerabilities.  This quick overview will give you the basics of what you need to know in order to test your web app against SQL-injections.

From Basics of SQL-Injection:

Web Applications relay on dynamic content to achieve the appeal of traditional desktop windowing programs. This dynamism is typically achieved by retrieving updated data from a database. One of the more popular platforms for web datastores is SQL, and many web applications are based entirely on front-end scripts that simply query an SQL database, either on the web server itself or a separate back-end system.

One of the most insidious attacks on a web application involves hijacking the queries used by the front-end scripts themselves to attain control of the application or its data. One of the most efficient mechanisms for achieving this is a technique called SQL-Injection.SQL-Injection refers to inputting raw Transact SQL queries into an application to perform an unexpected action. Often, existing queries are simply edited to achieve the same results–Transact SQL is easily mnipulated by the placement of even a single character in a judiciously chosen spot, causing the entire query to behave in quite malicious ways. Some of the characters commonly used for such input validation attacks include the backtick ( ` ), the double dash ( — ). and the semicolon ( ; ), all of which have special meaning in transact SQL.

What sorts of things can crafty hacker do with a usurped SQL query> Well, for starters, thy could potentially access unauthorized data. With even sneakier techniquies, they can bypass authentication or even gain complete control over the web server or back-end SQL system. Let’s tak alook at what’s possible.

Trackback link - http://www.dailycupoftech.com/2009/03/26/awesome-find-10-basics-of-sql-injections/trackback/