SQL Injection is a technique used to inject SQL commands into an SQL statement. Attacker can read and edit sensitive data from the database and can steal information from a database. Injection is used to attack any type of SQL database.
How SQL Injection attacks
The username and password are saved in SQL statement
SELECT id FROM users WHERE username=’myname’ and password=’mypassword’
Firstly attacker will find out if the site is using a SQL database, for this attacker put a single quote in the username and password field. The username and password end up with SQL SYNTAX ERROR! This help attacker to confirm that the website is using SQL database.
SQL injection based on the value 1=1
The attacker enters following username and password: -
SELECT id FROM users WHERE username=’OR 1=1—‘ and password=’mypassword’
Now the attacker is capable to login in the table and can modify the database (insert/update/delete).
There are lots of software applications for MS SQL forensics that checks whether your website is affected by SQL Injection attack or not. Injection attacks typically are not easy to avoid, but here I found one article for MS SQL forensic that helps you to fix SQL injection error over the SQL database.