SQL Injection is a technique where an attacker creates or alters existing SQL commands (by using some special symbol) to gain access to unintended data or even the ability to execute system level commands in the server. SQL injections are the result of Poor Input Validation and can be blocked by proper input validation.
Application that do not correctly validate and/or sanitize the user input, can potentially be exploited in several ways:
· Changing SQL values.
· Concatenating SQL Values.
· Adding Function calls & stored Procedures to a statement.
· Typecast and concatenate retrieved data.
· Adding system functions & procedure to find out critical information about the server.