SQL injection
SQL injection

One of the oldest tricks in hackers' books is to get a targeted website to tell the attackers what its vulnerabilities are.

Sometimes hackers perform "Google hacks" to use the search engine to find cached examples of error messages on pages. Other times, they enter odd terms into a website's search box to see if the site spits back error messages from its SQL database.

Those error messages can tell hackers a lot about the site -- often, enough to exploit the found vulnerability by injecting malicious code into the database. That's known as a SQL injection.

SQL injections can be used to get a site to spit back its database contents, such as lists of usernames and passwords. They can also be used to infect visitors' computers with malware.

About 14% of all hacks last year involved SQL injections, according to Verizon's 2011 Data Breach Investigations Report.

SQL injections can be stopped, but experts say they're very difficult to find, particularly for large sites with complicated code. Sites need a multi-layered defense to prevent SQL injection attacks: They must clear their code of vulnerabilities, ensure it's free of injections, and if their database is returning unexpected data, they have to find a way to stop it.


Last updated July 29 2011: 5:11 AM ET
Join the Conversation
The cyber Mafia has already hacked you

Large, organized crime syndicates have been launching sophisticated attacks for decades.

Search for Jobs