This week, I’ve decided to explore an actual exploit. SQL injections, according to the Open Web Application Security Project (OWASP), are the number one threat facing web applications to date. The concept of an SQL injection is very simple as well, so I figure this would be a great starting point in my study of exploits.

MySQL, or any programming language that uses SQL, is primarily used for managing large databases. These databases can be accurately described as tables, with many rows and columns. When a user sends a request for information from this database through the website interface, they have sent an SQL query. As in the code above, any sort of SQL query presents a possibility for a malicious user to deal some serious damage. If they know SQL, they can use special characters like single-quotes, parentheses, and operators to manipulate the logic of the SQL statement that their query is passed into. Eventually, they can figure out the exact syntax of the statement that they are trying to manipulate, and use that statement to extract any data stored in the database. This can include passwords, emails, user addresses, and other sensitive information. This exploit is well-known, but tens of thousands of websites still suffer from SQL injection vulnerability. SQL injections are certainly something I will continue to play around with in the future. These could even serve as the basis of my upcoming original work.