Читать книгу Cybersecurity For Dummies - Joseph Steinberg - Страница 87

SQL injection attacks are a specific type of injection attacks that exploit the way most computer systems store data, which is in relational databases that provide access to people and systems through the use of what is known as standard Structured Query Language (SQL) interfaces. When an attacker launches a SQL injection attack, the attacker simply submits data to the system that includes SQL commands rather than regular data. For example, if the system asks the user to submit a user ID in order to search on it, and the attacker, aware of the SQL command likely to be used by the system to its database in order to perform that search, instead submits a user ID that consists of code to both complete that command and to issue another command to display all records in the database, the system, if not protected against SQL injection, might do exactly what the attacker wants.

Even if the SQL injection attack does not fully work — and the system being attacked does not display the data — the system’s response to the SQL injection attack may still reveal information about how it handles SQL injection, thereby providing the hacker with information about the system, the database, and the security mechanisms in place (or information as to what is not in place that should be).