Sunday, January 20, 2008

What is SQL Injection

For that matter, what is SQL.

SQL stands for Structured Query Language. A majority of websites offer more than just pages of data. They offer products, articles, or any other data stored in a database. A database, as we know is a collection of tables containing data sorted into columns and rows. When you select a specific product you would like to see, we must find that product in the database usng our input, and then give us all the stored data on that product. SQL is the language most often used to 'query' the database to find our information.

Okay, now what's SQL injection. When a website takes information from us and uses it to query the database, it sends the database a SQL command. Of course, the website administrator only wants us to give the website our selection and it sends it's own command to the database. How about if we give the website a command together with our selection. Now, when the website sends the SQL command to the database, it sends along our command with it. This command can be quite varied. It may ask to find out passswords, it may add us as a user to the website, or many other things unintended by the website owner. It may not be so clear yet, but as we show
how to do it, this concept will become crystal clear. Hold on to your seats, The fun is about to start.

No comments: