SQL Injection

A type of attack aimed at a common flaw in the way software is written. This attack inserts SQL commands into an unexpected context. (If that doesn't make sense, keep reading.)

Example: Let's say your application asks each user for a password. The application takes the password and uses it to build a statement, or command, in Structured Query Language (SQL). Now what a clever hacker can do is to structure what he puts into that password input field so that the host computer terminates its normal SQL statement and begins a new one provided by the hacker. In this way the hacker causes the computer to execute commands you didn't intend. Your server has been hijacked.

If your application is well-written, it performs "input validation", or in other words it examines what's typed into the input field to make sure no such funny business is going on. But many applications don't include input validation.

New! Download the State of Cybercrime 2017 report