Structured Query Language (SQL) is a database language designed and used for managing records in Rational Database Management Systems (RDBMS). SQL injection is a type of cyber attack that uses malicious SQL code (SQL injection code) to exploit vulnerabilities in the any SQL Database to obtain or manipulate to access information that may include valuable number of items, lists customer details, customer’s credit card numbers, sensitive company’s data, or username and password of customers / service users.
Hacker conducts SQL injection attack by inserting malicious code into a web form field or manipulate website’s code with injection code or searching for SQL vulnerability using SQL injection framework tools in standalone or operating system (i.e Kali Linux) for special exploit. Hacker search for webpages that is login page, registration page, search form and other webpage forms, within any form code <form> and </form> inhere is parameter to discover the vulnerability and later use injection code along with common SQL commands. A hacker might get access to all the user names and passwords in a database, by simply inserting 105 OR 1=1 or blah’ or 1=1– into the input field on a webpage to test for SQL vulnerabilities.
Blind SQL Injection
SQL vulnerability test code: http://webpagename/index.php?id=blah’ or 1=1– | 105 OR 1=1 | blah’ or 1=1– or similar SQL commands may allow hacker to bypass login or flesh rows of table in database or even all tables in a database