How Was SQL Injection Discovered?

SQL injection has become the scourge of the Internet era. Year after year, it is cited as one of the top security vulnerabilities on the Internet, responsible for countless data breaches.

Jeff Forristal, also known by the alias Rain Forrest Puppy, was one of the first people to ever document SQL injection. Forristal, now the CTO of mobile security vendor Bluebox Security, wrote the first public discussion about it, back in 1998.

In a video interview with eSecurity Planet, Forristal discusses how he chose his alias and how he first came across SQL injection.

Back in December of 1998, Forristal was writing about how to hack a Windows NT server and found something out of the ordinary. At that time in the late 1990s, few websites were using full Microsoft SQL server databases, he said. Instead many used simple Microsoft Access-based databases.

“I can completely change the way SQL works,” Forristal said. “At that point, there were no real security properties fronting a database.”

Even after all these years, Forristal is not surprised that SQL injection remains a large security concern.

“Certainly [SQL injection] is still there,” Forristal said. “From the perspective that it’s still prolific, yeah it’s an interesting problem, but core vulnerability classes are prolific in many places anyway.”

Watch the full video interview with Jeff Forristal below:

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.