Hello, I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website? Can someone explain plz? Thanx
There's plenty of articles on SQL Injection. Do a search on Google, here's one for starters http://www.sitepoint.com/article/sql-injection-attacks-safe
Lot of ways. Use stored procedures to avoid injection, and for plenty of other reasons. Select * From sysObjects Where xType = 'U' will do it.
You don't need to know either table of column names to use SQL injection. It will work for most SQL searches that are poorly designed and unprotected.
Basically the way that people find out yoru structure is by trial and literal *error*. They will inject code to cause your site to return an error and from that they can get the structure of the site. The simplest form of SQL Injection is just commenting out your code. So for example if you're using SQL Server and your SQL Statement looks something like this for looking up a username and password SELECT * FROM Users WHERE Username = '" & Username & " AND Password = " & Password What someone could do is enter in for their username Administrator' OR 1=1 -- and what that would do is cause the SQL Statement to look like so to the server SELECT * FROM USERS WHERE Username = 'Administrator' OR 1=1 --AND Password = If you escape your variables properly you could avoid this, and you also want to use commands with escaped parameters as much as possible to allow ADO to take care of your SQL Injection issues. Also the most important thing you can do is ensure that you have custom error pages on your live site so nobody can see the detailed error on the pages if someone does try to hack. NGSSoftware did some great studies on them, you can find it at Search on google for "NGSSOftware SQL Injection", sorry I would post the link but I can't yet aparently.