SQL injection
SQL injection

One of the oldest tricks in hackers' books is to get a targeted website to tell the attackers what its vulnerabilities are.

Sometimes hackers perform "Google hacks" to use the search engine to find cached examples of error messages on pages. Other times, they enter odd terms into a website's search box to see if the site spits back error messages from its SQL database.

Those error messages can tell hackers a lot about the site -- often, enough to exploit the found vulnerability by injecting malicious code into the database. That's known as a SQL injection.

SQL injections can be used to get a site to spit back its database contents, such as lists of usernames and passwords. They can also be used to infect visitors' computers with malware.

About 14% of all hacks last year involved SQL injections, according to Verizon's 2011 Data Breach Investigations Report.

SQL injections can be stopped, but experts say they're very difficult to find, particularly for large sites with complicated code. Sites need a multi-layered defense to prevent SQL injection attacks: They must clear their code of vulnerabilities, ensure it's free of injections, and if their database is returning unexpected data, they have to find a way to stop it.


Last updated July 29 2011: 5:11 AM ET
Join the Conversation
The cyber Mafia has already hacked you

Large, organized crime syndicates have been launching sophisticated attacks for decades.

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer.

Morningstar: © 2014 Morningstar, Inc. All Rights Reserved.

Factset: FactSet Research Systems Inc. 2014. All rights reserved.

Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved.

Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor’s Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2014 and/or its affiliates.