What do Sony Pictures, PBS, Microsoft, Yahoo, LinkedIn, and the CIA have in common? These organizations and their web sites have all been successfully breached using what has become the weapon of choice for hackers: SQL injection.
SQL, or the Structured Query Language, is the command-and-control language for relational databases such as Microsoft SQL Server, Oracle, and MySQL. In modern web development, these databases are often used on the back end of web applications and content management systems – meaning that both the content and behavior of many web sites is built on data in a database server.
A successful attack on the database that drives a website or web application can potentially give a hacker a broad range of powers, from modifying web site content (“defacing”) to capturing sensitive information such as account credentials or internal business data.