What is sql injection in sql server?

Answer 1

SQL Injection is a hacking technique where a user types SQL into a normal input field prompting the program to execute the unintented SQL script against the database server. As an example, a field on a web site might prompt you to enter your SSN and it will look you up. Behind the Scenes, if the code is adding the SSN to a SQL Statement "SELECT * FROM tblEmployee WHERE SSN = '" & SSNFieldFromWebPage & "'" Entering in 123-45-6789 in that field would result in the following SQL... SELECT * FROM tblEmployee WHERE SSN = '123-45-6789' However, if the user enters something that the programmer didn't intend, such as... ' OR '1'='1 ...the resulting SQL could be... SELECT * FROM tblEmployee WHERE SSN = '' OR '1'='1' ...which would be true for ALL employees, resulting in ALL data being returned. SQL injection is just a threat that software developers need to consider when developing their applications to prevent users from doing unintended things. There are other things such as deleting all data in the database, changing passwords, setting up new user accounts, etc, that if everything is lined up just right could allow a hacker access to your systems or your private data. It's a form of Web Application Hacking Method.

Answer 2

SQL Injection is a form of attack on your SQL server, using the vulnerability of your (usually) HTML form handling of your web-application.

The most common form is to inject additional command into your SQL statement.

Many programmers are not aware of this common issue.

A simple example: you have a HTML form that collect your name.

NAME: [text box] [button GO]

Many programmer, will program in a way that will translate that input to gather information from the SQL server with an SQL statment:

SELECT vdDateOfBirth, viUserID FROM tblUsers WHERE Name='[name]';

So, the SQLInjector attempt to hijack that by type this into the [text box]:

'; truncate table tblUsers; //

by putting that into the [textbox]; the program will generate this SQL statement:

SELECT vdDateOfBirth, viUserID FROM tblUsers WHERE Name=' '; truncate table tblUsers; // ';

effectively, when the program execute this statment, the entire tblUser will be deleted!!! This is just a simple example. There are ways to extract the database structure through injection, and by knowing your data structure, have the ability to get user information (ie, password, credit card, etc, etc), and even the SA access; if the sql admin has been slacking ....

Thus, it is extremely important that whoever program your web-application is aware of this. but unfortunately, 90% of web programmers are not aware of this flaw.

SIMPLE SOLUTION:

A very simple solution is that you CLEANSE your data before putting it into an SQL statment, ie in asp:

vsInput = Replace( vsInputbox.text, "'", "''")

this simple statement will effectively stop the use of the ' character;

Alternatively, use parameterized procedure (the best way) but not many people do this.

Answer 3

An SQL injection is a technological term. It occurs when an exploit attacks certain parts of your hard drive and inserts a malicious code into a server. The purpose is to hijack a server or otherwise destroy it.