I've been testing a search feature on my companies site. The search feature is just to search select a state from a drop down then enter someone's last name. I just found that in the field for someone's name, I can enter a very long string of characters that just keeps going. Would this be vulnerable to SQL injection? The developers are changing it to have a limit, but I was just wondering if search features are vulnerable to SQL injection. And what can someone get out of SQL injection.
It's quite frequent to find SQL injection in a search feature because many programmers forget about it.
Anything that is sent from the client to the server can be vulnerable to SQL injection and must be sanitized before querying the database. Fields, URL parameters, cookies, etc.
Note: It was probably not intended but "enterable field" is misleading. Hidden or read-only fields can also be vectors of SQL injection into the web application even though they don't seem to be active. A malicious user could use a web proxy, a forged request or even simply change the HTML page locally.