I've heard that SQL Injection is one of the most common tool that the hackers use to hack a web application. Can anyone please give me a brief overview of what SQL Injection is or any webpages that I can refer to.
SQL injection is an attack on the database. Basically, injectors take an educated guess about your query design and try to manipulate it. Let's take a look at the following login:
$query = "SELECT * FROM customers WHERE username = '$name' and password = '$password'";
$name and $password come from a form using input type='text'. Thus, anything can be typed into these fields. So, the injector types in ' OR 1' for each field. Let's substitute the variables and actually take a look at what gets sent to MySQL:
$query = "SELECT * FROM customers WHERE username = '' OR 1'' and password = '' OR 1''";
Adding ' OR 1' to the variable will a.) keep the query from failing due to parse errors and b.)make the query default to true, giving the user access to anything in the db that he/she is capable of getting to.
Depends on the technology used. I think that Java and its PrepareStatements is something that you can not beat, with PHP you need to do lot of checking and set up many rules to prevent injections. I expect that Microsoft web pages build with C# or VB are reasonably secure dunno about plain ASP, I never worked with it.