Suppose there is a login form where you enter some data. The main methods of SQL injection involve entering values into the forms such that they make statements which are acceptable by the SQL parser.
Exploiting Using a Trivially True Logical Statement:
SELECT fieldlist FROM table WHERE field = 'As you can see in the above example: We have a logical statement which is always true. No matter what you put there instead of 'anything', the comparison 'x'='x' is always true (Note the exploitation of quotations. We put there <'x'='x> as input, but from the machine's point of view, the value to be parsed is <'x'='x'>)! Therefore, if the victim program or application were not secure enough, you will be granted access to the system! ';
Brute-Force Password Guessing:
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'firstname.lastname@example.org' AND passwd = 'hello123';
There are countless of more SQL injection examples that I am not going to talk about here, but you can definitely find articles on the web. Besides, SQL injection can be prevented very easily (I know it's sad, but you will never become a grey-hat hacker by solely knowing about SQL injections).
In my next blog post I will talk about a more practical type of hacking (namely XSS Attack).
P.S. It never hurts to follow my blog by clicking the follow button on top-right side of the page.