b. SQL injection
Many web pages receive an input or a request from web users and then, to address the input or the request, they create a Structured Query Language (SQL) query for the database that is accessed by the webpage. For example, when a user logs into a webpage, the user name and password will be used to query the database to determine if they are a valid user. With SQL injection, a user inputs a specially crafted SQL command that is passed to the database and executed, thereby bypassing the authentication controls and effectively gaining access to the database. This can allow a hacker to not only steal data from the database, but also modify and delete data or the entire database.
To prevent SQL injection attacks, the web server should be reprogrammed so that user input is not directly used to create queries sent to the database.
Share with your friends: |
