(Image by Leigh Prather, via Adobe Stock)
Many web-facing enterprise applications have databases sitting behind them. For many of those, the application itself is little more than a snazzy user interface sitting on top of a database. And in 2020, it's a near certainty that the database speaks Structured Query Language, or SQL. That's great news for the developers who need maximum flexibility in creating applications. It's also pretty great for criminals who want to convince the database to give up far more information than any single user should see.
SQL Injection is a hacking technique that's been around since at least 1998. It takes advantage of two factors for success: First, web applications often ask users for data; and second, those applications tend to take the user-supplied data and pass it to the database as part of an instruction. Put them together with no code-based guard-rails, and the possibility exists for a criminal to run the application far off into the weeds.
Structure of a query
In a common application fragment, a user might be asked for their user name in order to see the information the enterprise holds on their account. When they type their user name into the application and hit "Enter", the code that results could look something like this:
statement = "SELECT * FROM users WHERE name = '" + userName + "';"
This tells the database to select everything ("*") in a database called "users" in which there's ..
Support the originator by clicking the read the rest link below.
!['[F]Unicorn' Ransomware Impersonates Legit COVID-19 Contact-Tracing App](upload/news/image_1590609605_53167149.jpg)
