A Study of Online Database Servers: The Case of SQL - Injection, How Evil that could be?

SQL injection attack is one of the most serious security vulnerabilities in many Databases Managements systems. Most of these vulnerabilities are caused by lack of input validation and SQL parameters used particularity at this time of technology revolution. The results of a SQL injection attack (SQLIA) are unpleasant because the attacker could wipe the entire contents of the victim's database or shut it down. As such, SQLIA can be used as important weapons in cyber warfare. As an attempt of breaching of number of application data bases systems two SQL injection techniques were used to successful locating vulnerable points during this research which are Blind Text Injection Differential and Error based Exploitation. The motivations behind were to find out where the databases systems are most likely to face an attack and proactively shore up those weaknesses before exploitation by hackers. The success of both techniques is a result of poor web server (online database server) design especially in the selection of error messages (or answers) they display to website users if something goes wrong. The approach through examination of error messages (error codes) did enable to precisely know the backend Database Management System (DBMS) type and version and what exactly are parameters (variables) which can allow “illegally” injecting codes (a SQL query). Additionally, the paper presents SQLIA cases and their impact in Tanzania cyber space as well as it suggests the possible mitigation ways while reflecting the collected data with what currently existing in cyberworld as far as SQL injection attack is concern to present the reality.