Yesterday, I stumbled on a well-known website of a company with tons of customers that was vulnerable to SQL injection attacks. It's so funny, I always thought that by now most of the big guys are past this stage and prevent these exploits for quite some time. But yeah, I was able to tweak the SQL code and see parts of the SQL statement. I was able to run some SQL statements that slowed down the database.
However, I didn't feel morally right to mess with the data more and informed the company about this vulnerability and they fixed it by now.
Nevertheless, I found it ironic that MS Access in this case is “better“ than SQL Server, for it apparently does not recognize the “--” comment tag. So, I was a little bit limited in tweaking the SQL statement, because I had to accomodate for the SQL statements that follow my injection.
So, yeah, folks, please take a time and learn what a SQL injection attack is and fix your code. There is soooo much damage one can do with these kind of attacks, and it's scary how many companies still allow this.
See: http://www.sitepoint.com/article/794