In Chapter 3, Finding Entry Points, and in other chapters of this book, we have discussed that any time user input is trusted and mixed with code, there is a security risk. SQL injection follows the same principle. Essentially, the attacker s goal is to provide specially crafted data to the application that uses a database to alter the behavior of SQL commands the application intends to run. SQL injection bugs occur any time the attacker is able to manipulate an application s SQL statements.
This chapter focuses on the following topics related to SQL injections bugs:
Why you should be concerned with SQL injection bugs
General testing approach to find SQL injection issues
Common attempts a developer uses to prevent them
Repurposing stored procedures
Similar injection attacks