answersLogoWhite

0


Best Answer

SQL Injection is a hacking technique where a user types SQL into a normal input field prompting the program to execute the unintented SQL script against the database server. As an example, a field on a web site might prompt you to enter your SSN and it will look you up. Behind the Scenes, if the code is adding the SSN to a SQL Statement "SELECT * FROM tblEmployee WHERE SSN = '" & SSNFieldFromWebPage & "'" Entering in 123-45-6789 in that field would result in the following SQL... SELECT * FROM tblEmployee WHERE SSN = '123-45-6789' However, if the user enters something that the programmer didn't intend, such as... ' OR '1'='1 ...the resulting SQL could be... SELECT * FROM tblEmployee WHERE SSN = '' OR '1'='1' ...which would be true for ALL employees, resulting in ALL data being returned. SQL injection is just a threat that software developers need to consider when developing their applications to prevent users from doing unintended things. There are other things such as deleting all data in the database, changing passwords, setting up new user accounts, etc, that if everything is lined up just right could allow a hacker access to your systems or your private data. It's a form of Web Application Hacking Method.

User Avatar

Wiki User

12y ago
This answer is:
User Avatar
More answers
User Avatar

Wiki User

11y ago

SQL Injection is a form of attack on your SQL server, using the vulnerability of your (usually) HTML form handling of your web-application.

The most common form is to inject additional command into your SQL statement.

Many programmers are not aware of this common issue.

A simple example: you have a HTML form that collect your name.

NAME: [text box] [button GO]

Many programmer, will program in a way that will translate that input to gather information from the SQL server with an SQL statment:

SELECT vdDateOfBirth, viUserID FROM tblUsers WHERE Name='[name]';

So, the SQLInjector attempt to hijack that by type this into the [text box]:

'; truncate table tblUsers; //

by putting that into the [textbox]; the program will generate this SQL statement:

SELECT vdDateOfBirth, viUserID FROM tblUsers WHERE Name=' '; truncate table tblUsers; // ';

effectively, when the program execute this statment, the entire tblUser will be deleted!!! This is just a simple example. There are ways to extract the database structure through injection, and by knowing your data structure, have the ability to get user information (ie, password, credit card, etc, etc), and even the SA access; if the sql admin has been slacking ....

Thus, it is extremely important that whoever program your web-application is aware of this. but unfortunately, 90% of web programmers are not aware of this flaw.

SIMPLE SOLUTION:

A very simple solution is that you CLEANSE your data before putting it into an SQL statment, ie in asp:

vsInput = Replace( vsInputbox.text, "'", "''")

this simple statement will effectively stop the use of the ' character;

Alternatively, use parameterized procedure (the best way) but not many people do this.

This answer is:
User Avatar

User Avatar

Wiki User

10y ago

An SQL injection is a technological term. It occurs when an exploit attacks certain parts of your hard drive and inserts a malicious code into a server. The purpose is to hijack a server or otherwise destroy it.

This answer is:
User Avatar

Add your answer:

Earn +20 pts
Q: What is sql injection in sql server?
Write your answer...
Submit
Still have questions?
magnify glass
imp
Continue Learning about Computer Science

Pl sql programs executes in sql server?

PL\SQL is an Oracle product (the PL stands for procedural language), while Sql Server most commonly refers to Microsoft SQL Server, although at one point Sybase also marketed its product as Sql Server. Microsoft and Sybase both have a procedural language feature, called T-SQL (Transact-SQL), which is similar in concept to PL\SQL, but there are significant differences in syntax and structure. An experienced developer could convert PL\SQL to T-SQL readily, but conversion would be required. It would not run without conversion.


In which os sql server works?

SQL server is a database developed by the Microsoft corporation. The database is built to exclusively work on Microsoft Operating systems like Windows XP, Windows 2000, Windows Vista etc. It works on all Windows based platforms, but it does depend on the Edition of SQL Server you are going to implement. For example you can run SQL Server Express on Windows Server, but you cannot run SQL Server Enterprise on Windows XP. It will only run on Windows Server systems.


When does a SQL server error happen?

Typically, SQL Server errors happen when running scripts. Errors can show up for a number of reasons, likely involving data errors. Fortunately, Microsoft makes the SQL Server and has tech support available.


What tasks are included in database maintenance?

Back Up Database Task Performs different types of SQL Server database backups. Check Database Integrity Task Checks the allocation and structural integrity of database objects and indexes. Execute SQL Server Agent Job Task Runs SQL Server Agent jobs. Execute T- SQL Statement Task Runs Transact-SQL statements and more


What is the SQL Server Express used for?

The SQL Server Express is used to store and retrieve data when requested by other software operations that are running within the same computer or network.

Related questions

Difference between sql server 2003 sql server 2005?

There is no such thing as SQL Server 2003. Microft released SQL Server 2005 as the next version of SQL Server 2000.


Introduction to sql server?

The nintroduction sql server is are the following


Where could one purchase a Sequel or SQL server?

The Sequel, or SQL, Server is owned by Microsoft. One can purchase an SQL Server from the Microsoft website. Microsoft also offers a free trial of the SQL Server.


Describe IDE of SQL Server 2005?

An IDE for SQL Server 2005 refers to an Integrated Development Environment for SQL Server 2005. This is a tool that can be used by a programmer to create and maintan a SQL server database. Some commonly used IDE tools for SQL Server 2005 are:SQL Server Management StudioTOAD for SQL ServerTOAD for Data Analysts


What is a SQL Server instance?

An SQL Server instance is a complete SQL server and you can install many instances on a machine but you can have only 1 default instance.


What has the author Louis Davidson written?

Louis. Davidson has written: 'Pro SQL Server 2005 Database Design and Optimization' 'Pro SQL server 2008 relational database design and implementation' -- subject(s): Client/server computing, SQL server 'Pro SQL Server 2005' 'SQL Server 2000 Stored Procedures Handbook (Expert's Voice)'


What has the author Patrick Dalton written?

Patrick Dalton has written: 'SQL server 2000 black book' -- subject(s): Client/server computing, Relational databases, SQL server 'Microsoft SQL Server black book' -- subject(s): Client/server computing, Database management, SQL server


When was SQL Server Management Studio created?

SQL Server Management Studio was created in 2005.


How do you test SQL injection?

to test SQL Injection you have to perform it on websites. You can create your own website and test it on that site. You can use WebCruiser - Web Vulnerability Scanner to scan your web application and test SQL injection.


How to backup sql database?

Use program way backup and recovery. Tool repair sql database any version starting with MS SQL Server 2000, including SQL 2005.-------------You can backup SQL server database using SQL Server Management Studio (SSMS), T-SQL or PowerShell.Limitation: Backup created using higher version can't be restored in earlier version of SQL server.


Is there a SQLServer Compact Edition for Linux?

By SQL Server I am assuming you are referring to Microsoft's flavour of SQL. No. There is no version of SQL Server that runs on Linux


IDE which is used in Sql server 2005?

There are many IDE's available that can be used with a SQL Server database. Some of them are:SQL Server Management StudioTOAD for SQL ServerTOAD for Data Analystsetc.