Are you looking for my non-technical blog?

This is now my technical-only blog, my non-technical blog is here.

26 August 2005

SQL Injection

What the heck is SQL Injection !? It is some kind of application level attacks that targets SQL database servers. It is one variant of code injection attacks that depends on inserting malformed data in forms inputs via web pages. The importance of application level attacks, especially SQL injection is that they need nothing but a web page written in ASP, PHP, ...etc. installed on Apache or IIS web server even if that server is hardenend and installed behind a very robust firewall. Here is a good article I found on SQL Injection, and hope that you may find it useful.


  1. the real problem with SQL injection is the user, the webmaster and the admin can't do anything about it, only the application developer can.

  2. You are so right Alaa, ok the Webmaster can add some Javascript routines in his page to validate the user's input. However this cannot guarantee anything as the attacker can injects whatever she wants from the command line, or even make her own page on her server and makes it be submitted to the victim-server.
    Also Microsoft claims that ASP.Net is immune to such attack, but I really not sure of that.

  3. This is really important information. I had no clue about SQL injections before reading your post. Now I am thinking they are very harmful for our SQL database servers. I want to explore more about them. Thanks for this information.