how to    An SQL injection (or an insertion of an SQL code)  is one of the most dangerous methods of site hacking. An SQL injection hacking is based on inserting an arbitrary SQL code into a request to the database. The most common reason for an SQL injection type of attack is an incorrect processing of the input data that is transferred into SQL requests. Suppose a server uses the input parameter id which is transferred through the GET line of the request type http://www.somesite.com/?id=123 to search the entry in the database table with the information about the user with the user_id which equals 123. Let’s also suppose  that the PHP script responsible for the SQL request looks as follows:
    $res = mysql_query("SELECT * FROM users WHERE user_id = $_REQUEST['id'];");
    Then the SQL request itself to the database will look like this:
    SELECT * FROM users WHERE user_id = 123;
    Let’s construct the GET request so that it would contain an SQL injection attack:
    http://www.somesite.com/?id=-1+OR+1=1
    In this instance the SQL request to the database will look as follows:
    SELECT * FROM users WHERE user_id = -1 OR 1=1;
    As a result of executing this request we will get a list of all the users stored in the “users” table. Now you see how a seemingly innocent GET request may turn out to be dangerous from the point of view of information security.
    Depending on the type of the database that is used and on the degree of luck, the culprit may obtain the content of any tables, delete, change and add data and sometimes not just read but also modify local files stored on the server under attack or execute an arbitrary command. In fact, if it is possible to execute an attack of the SQL injection type, one can do anything he wants with this site, e.g.: stealing passwords and gaining access to the entire site or substituting credit card numbers, using website services without executing an actual payment and hundreds of other open or concealed actions. You may not even be aware of  such actions. The perpetrator may be robbing you little by little or may cause your business to crash at the most inopportune moment. If an XSS vulnerability is a cold, then an SQL injection is a fatal disease and one must protect oneself by all means available. Our scanner find-xss.net is specifically designed to fight this kind of “diseases”.