what is SQL Injection and SQL injection attacks

What is SQL Injection?
What is SQL injection attack?

When you are working with the SQL in your web-site then you need to careful on SQL injection, make sure that your programmer consider all SQL statements in that way that no one can hack your website using SQL injection. SQL injection is a technique used to hack your website, attacker use the non-validated input vulnerabilities and then pass it to SQL commands via a Web application or web-site for execution in the database. when any web application or web-site made by the programmer then attackers take advantage of that and pass the parameters in the SQL statement which is not done by the programmers, but they pass the parameters with the parameters set by the programmers, and because of that their parameters embed in SQL commands with the programmers parameters. On the result of this attacker/hackers can execute  SQL queries/commands with their conditions on the database server through the Web application or web-site.

All programmers make a query strings using the SQL statement and the parameters, when they need parameters in the web application then they make the sql statement run time and then pass it to the database server. so when they collect their parameter at that time the attackers/hackers pass their parameters and because of that its joint in the SQL statement, this is knows as the SQL Injection. i will show you this with example.

SQL Injection Example:

suppose your site made in php and php programmer made the login screen and take username and password from the end user to login, in this case he wrote below code to make SQL statement.

$SQL = “SELECT * FROM QATRICKS WHERE usename='”.$_REQUEST[“username”].”‘ AND password='”.$_REQUEST[“password”].”‘”;

Here when php programmer collect information from $_REQUEST parameter then attackers pass like as below

PASSWORD : qatricks AND password=’php freelancer’ AND password=’patel’

Now in this case SQL statement made wrong because attackers pass parameters in the passwords fields.

I hope this should be clear on the SQL Injection, and if you are going to make your web-site then you need to careful on this and have to inform your programmer so he will be more careful on the SQL Injection.