SQL injection
SQL injection

One of the oldest tricks in hackers' books is to get a targeted website to tell the attackers what its vulnerabilities are.

Sometimes hackers perform "Google hacks" to use the search engine to find cached examples of error messages on pages. Other times, they enter odd terms into a website's search box to see if the site spits back error messages from its SQL database.

Those error messages can tell hackers a lot about the site -- often, enough to exploit the found vulnerability by injecting malicious code into the database. That's known as a SQL injection.

SQL injections can be used to get a site to spit back its database contents, such as lists of usernames and passwords. They can also be used to infect visitors' computers with malware.

About 14% of all hacks last year involved SQL injections, according to Verizon's 2011 Data Breach Investigations Report.

SQL injections can be stopped, but experts say they're very difficult to find, particularly for large sites with complicated code. Sites need a multi-layered defense to prevent SQL injection attacks: They must clear their code of vulnerabilities, ensure it's free of injections, and if their database is returning unexpected data, they have to find a way to stop it.


Last updated July 29 2011: 5:11 AM ET
Join the Conversation
The cyber Mafia has already hacked you

Large, organized crime syndicates have been launching sophisticated attacks for decades.

Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.