Worms use SQL injection along with cross-site scripting (XSS) to break into websites and extract data or embed malicious code.
SQL injection sends commands to a web server linked to an SQL database. If the server is not correctly designed and hardened, it might treat data entered in a form field (such as username) as a command to be executed on the database server. For example, an attacker might enter a command string designed to output the entire contents of the database such as customer records and payment information.
Probably the most well-known data breach that employed an SQL injection attack occurred in March 2008, when hackers broke into the systems of payment processor Heartland Payment Systems and compromised 134 million credit card details.
Web application firewalls (WAF) defend against this style of attack with an advanced system of “patterns” designed to detect SQL commands transmitted to the web server. As with any pattern-based system, to offer the best possible protection the patterns must be updated to counter new and creative ways of embedding SQL injection commands.