Wednesday, July 28, 2004
According to Caleb Sima, CTO, SPI Dynamics, SQL Injection flaw occurs when external input is transmitted directly into a SQL string and into a database. This allows an attacker to piggyback SQL commands onto that string and manipulate or steal database information or execute system commands. I personally had come across a lot of this flaws especially when doing simple web scripting. Most users when doing insertion and updates to database via text input based on html forms, never check for invalid characters that could lead to this type of attack.