14 DAY TRIAL // The management of relational databases is performed by using SQL (Structured Query Language) that helps you to manipulate data inside a collection of tables. Practically, at the web level, SQL language represent the bridge of communication between a web application and a database. In the same manner, the user interacts with the database at a certain point in a given database driven application.
SQL injection represents a hacking method that is based on the security vulnerabilities of web applications having a database backend. It has many implementation forms and basically it consists of malicious SQL code (or non-intended to be used in a given application) that, after execution, could determine the complete destruction of a database, the revealing of secret informations from the database records and more.
The most vulnerable to SQL injection attacks are web forms. For example, if next SQL code is used in a login system, a username could be selected from the usersname table due to the fact that the boolean value of the code 'a'='a' is true in any situation:
Martin Bravenboer presents a new methods to avoid the security leaks in database driven applications in his Ph.D. Thesis entitled "Exercises in Free Syntax-Syntax Definition, Parsing, and Assimilation of Language Conglomerates". The techniques of totally removal of the SQL insecurities is based on the usage of an API (application programming interface) in combination with easy strings manipulation.
The method of embedding the syntax of SQL language into a host language like Java or PHP is generalized for many pairs host-guest type programming languages. The content of the Ph.D thesis is available on-line as PDF document and can help you to better understand the mechanisms of SQL injection and respectively the recommended coding procedures.