SQL Injection

SQL Injection:
Internet Hackers introduces the concept called SQL injection. It'snothing but injecting some malicious code to hack your system or to break with website. Since, they are using the concepts of sql server to break the security of the server. It's referred to as SQL Injection.
Considering am creating a table which contains username and password and based on the username and password. The user will be allowed to enter into the system.
CREATE TABLE VenkatSQLInjection(id INT,USERNAME VARCHAR(100),password VARCHAR(10))
INSERT INTO VenkatSQLInjection VALUES(1,'Venkat','Venkat')
INSERT INTO VenkatSQLInjection VALUES(2,'SUBA','SUBA')
SELECT * FROM VenkatSQLInjection
Below is teh procedure to validate the user authentication,
CREATE PROCEDURE SQLInjectionProc
(
@USR VARCHAR(10),
@PWD VARCHAR(10),
@VAL INT OUTPUT
)
AS
BEGIN
SELECT @VAL =COUNT(*) FROM VenkatSQLInjection WHERE USERNAME = @USR AND password = @PWD
RETURN @VAL
END

IF the user knows the username by using cookies. They will try to hack the system with out password. One possibility is, Considering you will be having a GUI which ask for User name and password. If the user give the existing username. For example, 'SUBA''--' and password as 'ABC'
In SQL Server, the operation resembles,

SELECT COUNT(*) FROM VenkatSQLInjection WHERE USERNAME = 'SUBA'-- AND password = 'ABC'

Obviously, the system will recognize the person as valid user and Its the basic foudation for hacking.
Happy Learning!!!
Regards,
Venkatesan Prabu .J