Forged headers containing arbitrary SQL can inject that code into the database if the web application fails to sanitize those inputs as well. Server variables such as HTTP headers can also be used as a SQL injection attack vector. A malicious user, or malware, can modify cookies to inject SQL into the back-end database. Cookies store client state information locally, and web applications commonly load cookies and process that information. If the web application fails to sanitize user input, an attacker can inject SQL of their choosing into the back-end database and delete, copy, or modify the contents of the database.Īn attacker can also modify cookies to poison a web application's database query. Web applications typically accept user input through a form, and the front end passes the user input to the back-end database for processing. The simplest form of SQL injection is through user input. There are several types of SQL injection, but they all involve an attacker inserting arbitrary SQL into a web application database query. This is script kiddie stuff-and fixing your web application to mitigate the risk of SQL injection is so easy that failure to do so looks more and more like gross negligence. It isn't some cutting edge NSA Shadow Brokers kit, it's so simple a three-year old can do it. The good news? SQL injection is the lowest of the low-hanging fruit for both attackers and defenders. SQL injection is a type of attack that can give an adversary complete control over your web application database by inserting arbitrary SQL code into a database query. Even the OWASP Top Ten lists injection as the number one threat to web application security. Thank you to James Zetlen, who helped make the word checker work on other people’s computers and not just mine.Immortalized by "Little Bobby Drop Tables" in XKCD 327, SQL injection (SQLi) was first discovered in 1998, yet continues to plague web applications across the internet. The set of ten hundred words in Thing Explainer comes from putting together many ways of counting how much people use a word to come up with a single set of ten hundred words that should sound familiar and simple to lots of people. (I usually count all forms of a word, like “kick” and “kicked,” together as one word, although there are a few special cases where I don’t.)Ī note on the words: Some words are used more often in certain kinds of writing and talking than in others, which means different ways of counting words will give different answers for which ones we use the most. To use it, just touch here and start writing. If you use a word that’s not in Thing Explainer’s set of the ten hundred, the word will turn red. Now, I’m happy to be able to share it with everyone! When I decided to write Thing Explainer, I went back to the writing checker I had used and made it better. After I put up my Up Goer picture, other people made things to check writing, too (like this one). To help me write the words in my Up Goer Five picture, I taught my computer to watch my writing and tell me when one of the words I used wasn’t in the top ten hundred. Want to try writing using only simple words? Here’s a writing checker you can use: /simplewriter.