More on SQL Injection with DVWA
Last night, Allison Nixon gave an excellent talk to a packed room, going over SQL Injection vulnerabilities and letting the audience try it themselves against a local version of Damn Vulnerable Web Application. If you'd like to install and run it yourself, you can download it here: http://sourceforge.net/projects/dvwa/
One of the very helpful parts to Allison's talk was the pre-built SQL strings that we were able to copy and paste into the application. Here is a similar PDF from HackYeah.com that will show you many of the same things that Allison presented.
As Allison stressed multiple times during her presentation:
1. Learn SQL. You can't be really good at SQL injection unless you know and understand SQL
2. Don't use tools. You're less of a person if you use SQL Injection tools.
3. If you use this knowledge to do anything illegal, I don't know you. Neither Allison nor ProvWebAppSec condones any illegal activities with these skills.
4. Do not trust a security product unless they know how the details of attacks work and how it defends against them.