You would think that if you are the person who makes a product that no one would be able to know the ins and outs of the product better than you do. This is especially true if you have been dealing with the product that you created for years. But sadly this is not the case all of the time. Even though people think that the creator of the software should be able to protect it all of the time that is just not realistic. For example we can look at the creators of mySql. Just recently their web site had been infected with the last piece of malware that they should be infected by; an SQL injection. If there is any web site that should be safe from an SQL injection it should be mySql.com. But that was not the case.
What is a SQL injection attack?
When you own or run a web site there are so many different types of attacks that you have to look out for. For many hackers, there is an endless supply of servers out there that they can to break into. So to make it easier for themselves, they pick the ones that are vulnerable to their specialties. A common attack vector is through the use of an SQL attack. An SQL injection attack is one of the easiest ways to get past the security of a server. Fortunately it is also one of the most easily defended attacks as well.
When the bad guy is trying to run an SQL injection attack he is attempting to place SQL commands through one of the many forms on the web site. You may notice that when you fill out a form on a web site that after you hit the submit button it starts to process and more than likely switches the page that it is on. When it is processing what it is actually doing is sending the data that you inputted into the form back to the server that is hosting the site. Or it may also send the data to another server as well. When the data reaches the web site it is then stored with a piece of software called a database. A database on the server must have specific rules on how that data is organized. The whole purpose of a database is to make it easy for you to be able to get the data back out again in an organized fashion.
If the form that you are using to send the data back to the database is not protected in the right way then a bad guy is able to place his own rules for the server. He can take database commands and place it in the forms text box. Once it is in there it get sent back to the server and processed just as if the data was sent by you. They can do many things with the SQL commands. They can make all of the data that is on the web site be erased by using the DELETE command. They can also make all of the data that is on the web site show up so that the black hat hacker can see all of it. There is no limit to what a bad guy can do once he has found a place on your server that he is able to send SQL commands.
As I said earlier, if you are a programmer then protecting your server is quite easy. If you are not a programmer then you are going to want someone to make the fixes for you. In any modern day server side language that you use to make a web site there are going to be functions that filter for this type of attack. This type of attack has been prevalent for over a decade so any language that takes web building very seriously is going to have a protection against this. It is up to you as the programmer to make sure you implement it. You must go by the simple rules of never trust your users. Protect your whole web site against them. Any place that they are able to insert data, make sure that the data is sanitized first. You sanitize the data by using the language functions that I talked about earlier. Look at the documentation of the language that you are using to see what those functions are. If you remember to follow this rule then your site should be safe.
As you can see, even if you are an expert in a certain domain you still might slip up. This is why you must always be vigilant while you are on the web. No matter how much you think that you know or how good you are all the bad guys have to do is find one weak spot.