It's important for IT workers to understand SQL injection. Standard writer Lincoln Spector that operating systems (read: Microsoft Windows) have become much more bulletproof. So black-hat hackers now running atop the operating system, because there are far more weaknesses to exploit there. According to Gartner, three-fourths of the Web applications vulnerabilities reported last year have still not been fixed.
SQL injection attacks work by placing commands written in the database manipulation language SQL (short for ) into, for example, the username field on a website's login page. Incorrect handling of the username causes it to be treated as part of a SQL command by the website's servers.
Wikipedia has of SQL injection. In one, the hacker (or more likely, a program written by the hacker to attack many machines at once) fills in the username field with "a' or 't'='t'." This bit of SQL gets added to the command that looks up usernames in the database, where the programmer had assumed that only usernames would be typed.
So instead of running this SQL command:
statement = "SELECT * FROM users WHERE name = '" + userName + "';"