The invaluable Troy Hunt has an excellent post on SQL injection attacks. We all know the basic ideas behind SQL injection but Hunt shows how attackers actually mount the attacks and why they work. It’s extraordinary that these attacks still work but as Hunt points out they are still the number one exploit in the OWASP Top Ten.
This post is about the SQL injection itself rather than its mitigation. There’s a link to mitigation strategies in the post1 for those who are looking to protect themselves from these attacks.
If you’re writing server side code that interfaces to a database, you should take a look at this post. At the very least, you’ll get an idea of what you’re up against.
Footnotes:
The mitigation post is primary aimed at .NET developers but contains good advice for everyone.