It is time to earn a little about SQL injection, a conceptually simple and very popular attack that can be mounted against many websites with a database back-end.
An earlier post on DITC by Tim Kellogg talks about actually experiencing the hacker ethos by attempting specific exploits. I’d like to second the notion, especially when it comes to SQL injection. This exploit turns on the ability to query your websites and get all sorts of useful information, such as your entire customer contact list or other sensitive data. And what makes this attack so troublesome is that it can be done without using any specialized tools other than a Web browser, and it doesn’t even require much in the way of programming knowledge.
SQL injection is the very old practice and still actual only for very old forgotten sites.
Of course you can try find a few vulnerable sites using inurl:id=1 site:.{domain} in google, but the vast majority of sites fixed this problem long time ago.