I] What is sql injection?
1) SQL Injection is a technique used to attack database from web applications.
2) Here unvalidated users input, (which is vulnerable) along with sql queries from web applications are sent to database for execution.
II] Example/How to do SQL Injection:
In URL : http://www.employee.com/details/employe.aspx?Empid=47 (where users details are displayed , attacker can change the query string and re-execute the url )
like: http://www.employee.com/details/employe.aspx?Empid=47; drop table employee
1) SQL Injection is a technique used to attack database from web applications.
2) Here unvalidated users input, (which is vulnerable) along with sql queries from web applications are sent to database for execution.
II] Example/How to do SQL Injection:
In URL : http://www.employee.com/details/employe.aspx?Empid=47 (where users details are displayed , attacker can change the query string and re-execute the url )
like: http://www.employee.com/details/employe.aspx?Empid=47; drop table employee
These kinds of sending, inserting SQL malicious commands from input box/url is called as sql injection.
III] How to avoid/prevent SQL Injection?
1) Always use stored procedures instead of query.
2) Validate parameters and pass to server.
3) Check and replace special symbols which harms database.
4) Configure error reporting.
2) Validate parameters and pass to server.
3) Check and replace special symbols which harms database.
4) Configure error reporting.
