Superconductor

Looking at the data in the National Vulnerability Database, it seems that SQL injection has overtaken buffer overflows as the most common security vulnerability. Buffer overflows probably still hold the record for causing the worst vulnerabilities. Some of the more dramatic attacks that the Internet has experienced, like the Morris worm, the SQL Slammer worm and the Code Red worm are all examples of attacks that took advantage of a buffer overflow vulnerability. But while SQL injection vulnerabilities are now more common than buffer overflow vulnerabilities, you typically don't get SQL injection attacks that affect significant fractions of the Internet. Instead, the effects of SQL injection attacks tend to be confined to a single site.

So there's good news as well as bad news: the good news is that the attacks that result from these vulnerabilities could be a lot worse; the bad news is that  SQL injection attacks are distressingly common.

SQL injection attacks are easy to carry out against an application that's been carelessly written, but you certainly don't want to try them against a random web site. That's probably illegal. Fortunately, the website SQLzoo.net has a place that's designed to be used to try SQL injection attacks. They even explicitly give you permission to try them. Using this site is much easier than setting up your own testbed, and it lets you try all sorts of interesting SQL injection. They even have a place to brag about any exploits that you manage to carry out. See if you can carry out one of the SQL injection attacks that the web site describes - it's a much better way to kill time than playing solitaire or mine sweeper.