A seemingly infinite number of sub-methods or variations of SQL Injection attacks can be carried out against the database. The most common technique is exploiting a lack of user input filtering on web pages or application user interface elements. When executed through a web front end, these attacks will not necessarily be caught by firewalls. These attacks are hidden as part of the regular POST data when submitting a web form. A good database activity monitoring solution (DAM) is able to identify these attacks by looking at the actual SQL code submitted or executed on the database back end.
Source: https://threatpost.com/how-own-database-sql-injection-070710/74182/

