Database Reference
In-Depth Information
commands into the frontend pieces to see whether they can execute SQL commands direc-
tly into the database. For instance, a form may have SQL commands to access a database,
and a hacker may inject SQL commands into the form to try to return passwords and
users.
A typical scenario for injecting SQL into browsers would be to run the browser code in a
Firefox debugger, look for any functions or JavaScript that looks like it may take SQL,
and run a SQL Injection tool to try every combination of SQL through these commands.
There are many off-the-shelf tools to test the browser code available to all. For those who
hack or check hacking for a living, there are many, many freeware tools that assist in find-
ing SQL Injection, and even training sites to train your skills in finding SQL Injection. If
you practice hacking enough, such as SQL Injection, there are many official contests to
try your hacking skills at. The ultimate way to get rid of SQL Injection is not to use SQL
commands at all in code. With today's modern frameworks, with ORMs and NoSQL,
there is not absolute need to use SQL commands. Also, the performance in NoSQL, and
ORMs, to code, dependent on the code base, has been shown to increase performance, de-
crease development time, and decrease code.
