SQL is a language used to interact with databases. With SQL injection attackers put “holes” in the applications by inserting malicious code in strings that later is being executed. In other words, SQL injection is carried out by placing special characters into existing SQL commands and modifying the behavior to achieve the attacker’s desired result. The database of the college was attractive target because it contains critical application information of the students (not only web applications). Any application that receives input and uses that input to solicit information from a data repository through the construction of SQL is potentially vulnerable to a SQL injection attack. These characters are significant as they tell the database to treat everything as a comment. SQL injection requires considerable skills to execute and the effects can be dramatic.
There are more than one ways to perform SQL injection.
The C Code is ideal for direct interaction with databases and is a sweat spot for attackers to target because of the unprotected SQL statements that are created as part of the data processing functions.
As with the C Code, the Java application also allows the user to input any string of characters and values, which includes the OR condition that will be appended to the SQL statement and executed by the MySql server. Ruby and C# are also open source languages that attackers use to perform SQL injection.
The attacker that hacked the college database might have used Blind SQL Injection. In this situation the web application is vulnerable to an SQL injection but the results are not visible to the attacker.
The first step that the attacker will do is to find a table name. Next will be finding username. From there a smart hacker can find student’s username and password easily by SELECT * FROM Users WHERE UserId = 105 or 1=1. WHERE 1=1 is always true. This example can gather information about the student and manipulate with it on the web.
In order the...