SQL Injection in Web Application

In order to understand it, the structure of the website information system need to be understood. The underlying database management system that feed the web pages with information in relation with the code flaws is statistically the main security flaw found in websites after xss. So if the webpage doesn’t check the way it requests and retrieves information then someone can inject information and manipulate the website or even the whole server.

A webpage sends the sql command using let’s say: ‘SELECT id FROM pages WHERE id=”variable” ‘; Normally variable contains the number of page to retrieve and show to user. If the value of variable is: “ ‘; SELECT passwords FROM data WHERE ‘1' = ‘1' ;” , the database reveal all data stored in passwords because the statement always return true. A more destructive “variable” is “ ‘; DROP TABLE pages;” The possibilities are countless from simple data extraction to data destruction or massive defacement that can damage organization reputation.

A developer can prevent SQL injection by implementing escape characters filtering and restricting webpage queries privileges.

SQL injection is not the only way to deface a webpage. Network related flaws on the server side and server software are also often exploited insecurities.

Fortunately, most servers and network firewalls keep logs of suspicious activities that may lead to arrests.