Answers

Question and Answer:

  Home  Basic SQL Server

⟩ Do you know what is SQL Injection?

SQL Injection is an attack in which attacker take the advantage of insecure application over internet by running the SQL command against the database and to steal information from it that too using GUI of the website.

This attack can happen with the applications in which SQL queries are generated in the code.

The attacker tries to inject their own SQL into the statement that the application will use to query the database.

For example suppose the below query string is used for a search feature in a website and a user may have the inserted “Arpit” as the keyword to search. If in the code behind the keyword is directly used into the SQL statement, it will be like.

String sql = “Select EmpName, City from EmployeeMaster where EmpName like ‘%” + txtSearch.Text + “%’”;

But the attacker might enter the keyword like

‘ UNION SELECT name, type, id from sysobjects;--

This way attacker can get details of all the objects of the application database and using that attacker can steal further information.

 131 views

More Questions for you: