Earlier today @mubix (Twitter) asked:
Here’s my response:
SQL Injection is like a telephone operator who has to phonetically relay verbal speech between two people who cannot be connected, in a language the operator doesn’t understand. The problem is that the operator has no way of knowing if she’s telling the person on the other side, “Happy Birthday”, or giving them instructions on how to kill themselves.
I’m not sure if that’s useful only to geeks who already understand SQL Injection, or if it’s usable to muggles (which was the point). Anyway, that’s my go at it, @mubix.: