SQL Injection is the most popular attack vector that hackers exploit. It is also by far the most known attack method that developers and business owners are aware of.

The SQL standard supports complex queries and it is the de facto query standard against stored data in web applications.

SQL Injection can exist in dynamic SQL query constructions and stored procedures. It is also important to know that using ORM frameworks such as Hibernate doesn’t %100 prevent SQL injection. It is still developer’s job to be careful not to construct sql queries dynamically. For example analyze the code snippet below;

                            
String query = "from Users where uname = '" + request.getParameter("name") + "'";
List users = hibernate.find(query);
if (users.length == 0)  
return  ERROR_LOGIN;
if (!checkPasswd(users.get(0).getPasswd(), pass))
return ERROR_LOGIN; 
            
            

There’s still a room for hacker to manipulate the query by providing smart values for request.getParameter("name").

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two piece of information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial SQL filter in the program, result in SQL injection. The attacker can potentially manipulate the SQL query and access the information that he can’t access otherwise.

For example, by sending admin' or 2 > 1 ) -- as request.getParameter("name"), the attacker may authenticate as admin user although he is not the user having the username admin. This is just one of the possibilities that attacker can do with the vulnerable code such as above.