- An SQL-injection is normally done using a form of a website.
- The attacker needs no control over the server, nor over the database.
- With SQL-injection you can reveal any data, which normally would be
inaccessible.
Because SQL-Injection is so easy to apply, it is also often done. Later in the presentation we
will see, that we have to distinguish between two kinds of attacks:
- The attacker has control over server and database and therefore access to
the program code as well.
- The attacker has only access to the database through SQL-injection.