What is SQL Injection:
I have gone through many SQL Injectio
n tutorials before writing this post. One thing was common at every place, the queries coming from the readers. Many people don’t know what actually SQL Injection is. They think that they can easily enter into the database and make some changes, or they can simply inject some query and will have the username and password of the administrator. Well !!! Till some extent the concept is true but it is not that much easy.
So first we need to learn what is SQL Injection or better we should know what is SQL… SQL, the Structured Query Language, is the standard to access databases. Most web applications today use an SQL database to store persistent data for the application. It is likely that any web application you are testing uses an SQL database in the backend. Like many languages, SQL syntax is a mixture of database instructions and user data. If a developer is not careful, the user data could be interpreted as instructions, and a remote user could perform arbitrary instructions on the database. So, whenever we want any data to be accessed from any application our request goes in the form of SQL queries. Suppose for example, in any online library if we want to access any particular book then our request will go in form of following language,
"SELECT booktitle FROM my_library WHERE " + " bookname=' " +SQLtutorial+ " ' ";
So, in the above case the application takes the bookname from the user and searches it in the TABLE named my_library and if after matching returns that particular page. So it means if that particular name doesn’t match it should not return anything, but in actual scenario there is nothing stopping an attacker from injecting SQL statements in the bookname field to change the SQL query. Let’s re-examine the SQL query string. Continue reading
/etc/hacked 