SQL injection attacker inserts malicious

A less direct SQL injection attacker inserts malicious code into string fields that are destined for storage in a table or as metadata within the SQL database. When the stored strings are later combined into a dynamic SQL command, the malicious code is executed and the damaging action takes place, with similar attacker access and actions to follow.

NOTE

SQL injection attacks are approximately 100 percent preventable. Every user input field can be filtered to allow only the type of data that the field is intended to receive and to reject all other types of input. If the field is intended to hold phone numbers or ZIP codes, you can disallow all alpha characters. If the field is intended for the two-character state code, you can truncate all input characters beyond the second character, and disallow numbers. This is referred to as “qualifying the user input data.” The qualifying rules often get much more sophisticated than these basic examples, but they can be written and included in the application’s code and could prevent approximately 100 percent of all SQL injection attacks

APA (American Psychological Assoc.)
Miller, D. (2011). Security Information and Event Management (SIEM) Implementation. New York: McGraw-Hill Professional.

MLA (Modern Language Assoc.)
Miller, David. Security Information and Event Management (SIEM) Implementation. McGraw-Hill Professional, 2011. EBSCOhost.