What is SQL Injection?

SQL injection also known as code injection is a technique in which the attacker uses a security vulnerability present in SQL (Structured Query Language) to gain access to a database linked-to website.

After infiltrating the database the attacker can add a new entry, modify existing entries, and can also delete a record, table, or even the whole database at the backend of the website or server rendering it useless for the visitors and users.

SQL injection is performed by incorrectly filtering the user input for string-type literal characters.

Another name for SQL injection is SQL insertion attack. SQL injection is also performed by embedding malicious code inside a string.

This string is then passed to an SQL server object for parsing and execution. There are two types of SQL injection attacks, direct attack, an indirect attack.

Indirect attacks the code is directly entered into variables used for input, these variables are concatenated by SQL commands and then executed with the inserted code. In indirect attacks, the code is injected into a string that is to be stored in the database in a record or table.

Below SQL injection code is shown:

var Mname;
Mname = Request.form ("Mname");
var sql = "select * from OrdersTable where Mname = '" + Mname + "'";

Along with these manual methods of code injection automated tools are also available which make the code injection technique robust and even more devastating.  SQL injection attacks result in a lack of security during defining input parameters for a database.