A SQL Injection attack is simply inserting another statement inside a SQL string. Even though they are simple to construct, they can be difficult to defend against if your code is not set up properly.
It works like this. Let's say you take an applicaiton or web page that allows the user to enter their order number to track it:
Enter your name here: ___________
Now the user enters their name, and then you translate it into this:
SELECT * FROM ORDERS WHERE ORDERNUMBER = 'string the user entered'; GO
All the user has to do is enter a string like this:
1234'; GO SELECT * FROM sysobjects WHERE xtype = 'U
This will get them all of your stored procedures. That's because you let them put in a single tick, which "breaks out" of the statement and runs another.
There are other ways to have this happen as well. It isn't specific to SQL Server, but they have a great writeup on this:
More on database security here: http://www.informit.com/store/product.aspx?isbn=0321468104
Take advantage of special member promotions, everyday discounts, quick access to saved content, and more! Join Today.