Websites that use scripting languages can be vulnerable to different types of attacks. As you work to develop your website, you will want to address protection of your site against attacks. SQL Injection is one of the more common attacks that can be performed on your website or database.
SQL Injection attack utilizes your sites forms and scripts to exploit vulnerable code so that malicious code can be executed when processed by the web server or SQL Server. There is a large amount of documentation on how your site can be developed to protect it against SQL Injection. Please review the documentation and consider the best practices that they advise:
- Preventing SQL Injections in ASP (microsoft.com)
- Secure your ColdFusion application against SQL injection attacks (adobe.com)
- PHP: SQL Injection (php.net)
In many sites, developers use GET and POST variables to create SQL commands that are executed on the server. (GET variables are passed via the URL and POST variables are sent via form submissions.)
Hackers will modify these variables, assigning them values that the developer never intended. Variables in GET or POST have malicious SQL commands which are then added to the intended commands. This malicious code is then run against your SQL Server.
The hacker will view the source code of the html page to determine what needs to be changed and how to change it. The hacker will add a new value for the html tag. This will allow the hacker to modify the information within the html form.
Additionally validate the input every time, not just when the data is initially accepted. For example if you set a cookie, make sure that cookie is the same value and it is correct on each and every request. A malicious user could modify and change the value anytime during the session.