I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?

Can someone explain plz?


You do not need to know the column names. If you pull information from an open source, like a querystring, and directly insert it into your sql statement, like below, they can add bad stuff to it... like below:

strRequest = Request.QueryString("query")
strSQL = "SELECT column FROM table WHERE column2='" & strRequest & "'"

'This is why it is bad below:
strRequest = "stories from';DROP...;"
'Imaging with me, when they insert this and get it right, they deleted your entire table and all your data. Names are not as hard to guess as most would think.
'Try running the code to remove certain words like "drop" ";" "alter" "create" etc, if you have to pull from a querystring.

If you are interested in reading a good piece on SQL Injection that tells you how to hack into sites that don't protect themselves against such attacks and (what is more important) how to protect your site against such attacts, let me share a URL with you:


This article is easy to read. It takes you on a step by step journey through the hacker's thought process and how he can succeed in creating havoc. It also tells you what you can do to defend you site against such attacks.

Hope this helps.