To begin with, SQL is a programming language, firstly developed by IBM, that enables computers to store, and retrieve data fairly efficiently (at least in terms of the amount of coding that programmer have to do SQL is very efficient). SQL is used by many companies worldwide. SQL is categorized into a type of DBMS (Data Base Management Systems) known as Relational Databases. Relational database query languages (e.g., SQL, MySQL, YQL etc) are very easy to learn, and fairly efficient.
One disadvantages that Relational databases have, however, is that once the amount of data is so huge, they do not scale well. For the same reason, some big companies such as Google, Facebook, etc. do not use SQL or any other DBMS because of this lack of scalability.
Now I think I have gave you enough information about SQL. Let`s get to the main topic (i.e., SQL injection). SQL syntax, although very efficient, is in a way that can be abused by using special characters such as dashes, quotations and sometimes even logical operators (such as AND, OR, etc.). Of course, you should note that an application can be made secure enough to be immune against such attacks, but for that matter, the programmer has to actually know about the existence of such security threats and how to prevent them. I will mention SQL injections by example in my next post. But just to make your mind ready, I start with an example:
SQL injection starts with inputs that you give to a form in a website or application. For example, the (web) application has a form with separate fields that ask you for your name, password and/or email. SQL injection is basically values that you can enter in these fields to trick the application into granting you access to data that you should not normally be able to access.
In my next posts I will mention a few SQL injection commands and their usage.