A SQL injection attack consists of the "injection" of a SQL query via the input data from the client to the application, inserting malicious code into strings that are later passed to an instance of SQL Server for parsing and execution. Successful SQL injections exploit can read sensitive data from the database, modify database data, execute adm operations on the database, recover the content of a given file present on the DBMS file system, and in some cases issue commands to the operating system.
SQL Injection allows attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
SQL Injection attacks exploit an application security vulnerability, for example, when user input is either incorrectly filtered for string characters embedded in SQL statements, or user input is not strongly typed and unexpectedly executed.
SQL injection attacks enable attackers to tamper with, delete or steal sensitive data from corporate databases. Watch this webinar where experts from Threat Research Center discuss SQL injection attacks and how to best defend against them.