Rajesh came to me running. He was desperate. "What happened?" I asked. "All is lost and I do not know what has happened!!" he replied. When pressed he told me the whole story.

He had just started his web based home business. It was running smoothly and he was the only one user who had administrative privileges. But one day he found that all the tables were erased. He suspected an accident and replaced them. But it repeated. "I do not know what to do and why it happens!" he lamented. Have you given the admin password to anybody? I asked. "No". He replied. Also I have changed the admin password thrice. But it is of no use. He said.

I promised to explore his problem. After examining the login page I found that His code is susceptible to SQL injection attack!! Anybody could remove data from his tables by this.

But what is SQL injection attack? For that one must first understand what is SQL. When you develop a web site, naturally you would use a database and the database typically stores data in the form of tables. To search for a particular item, you have to query the database. Modern DBMS use a standardized language for this. This query language is called an SQL.

So when a user logs in to the system he supplies his log in name and password. In order to verify whether the password is correct an SQL query is invoked which searches the corresponding table to see whether the user name and password are correct.

What does a malicious user do? He inserts his own SQL commands in the password field such that the system executes that also. The result? Anything the bad user wants. It may be getting unnecessary information, destroying the databases as happened in the case of Rajesh, or even unauthorized access.

So what is the solution? One must design the web site in order to prevent such attacks. Tighten your security to see such attacks do not occur. The important measures to do this are:

1. Check any input given by the users for suspicious characters or words.

2. Use least privileges in the database.

3. Avoid the use of SQL generated at run time.

Many articles on SQL injection are available on the net.

"Stop SQL Injection Attacks Before They Stop You" by Paul Litwin in the September 2004 issue of the MSDN magazine is a good example.