SQL Injection

Overview

Structured Query Language (SQL) injection is an attack technique that attempts to subvert the relationship between a webpage and its supporting database, typically in order to trick the database into executing malicious code. SQL injection usually involves a combination of overelevated permissions, unsanitized/untyped user input, and/or true software (database) vulnerabilities. Since SQL injection is possible even when no traditional software vulnerabilities exist, mitigation is often much more complicated than simply applying a security patch.

This paper provides background about SQL injection, helps users understand more about detection, and provides guidance about best practices to minimize the risks associated with this attack vector.