May 25, 2016
SQL Injection is the technique of inserting complete or partial SQL commands in user-supplied data fields of web applications and submitting them for execution by the database server.
Businesses use fields such as contact forms, feedback forms, checkout forms, and search bars to interact with website users. These fields let users legitimately submit information to the business’s database and retrieve information from it. This “open line” between user and database is prone to a web security threat known as SQL injection.
If the field is coded incorrectly, an attacker can use it to insert malicious SQL commands. The injected code can trick the database to run the attacker’s commands that are capable of extracting private information and modifying or ruining database tables. Dynamic content, as well as fields, are susceptible to SQL injection.
How SQL Injection Works
- Attacker enters manipulated SQL command in form field
- An insecure database considers this query valid
- Attacker gets response from database containing sensitive information
- Attacker gets information (like table name) to understand structure of database
- Attacker modifies data in database in a malicious way
Example of SQL Injection
When a user submits credentials on a login page, the web application uses them in a SQL query that is sent to the database for execution. If the submitted username and password are valid, the user gains access. Assuming the username is ‘user1’ and the password is ‘pass123’, the web application sends the following SQL query to the database for verification:
SELECT * FROM Users WHERE name = 'user1' AND password = 'pass123'
Instead of using a valid username, an attacker submits “test’ OR “1 = 1–” as the username and anything for the password. This arbitrary SQL query will return a true value. The arbitrary query looks like this:
SELECT * FROM Users WHERE name = 'test' OR 1 = 1 --' AND password = 'xxxxx'
After entering the query, the hacker gains access to a logged-in session without a password. The hacker then steals data or manipulates website databases. One such attack occurred in 2015 at Vtech, an interactive toy manufacturer. Its servers suffered from a SQL injection attack where the hacker managed to access over 2.3 million pictures and 4.83 million email addresses, usernames, and passwords.
An attacker gaining administrative access to a database is an extreme security breach that SQL injection makes possible. Through this type of attack, a hacker can change or delete parts of the entire database. The attacker can also launch attacks from a compromised server and access confidential information stored in the database. Preventing this major security threat is possible by properly coding fields and updating server software with the latest patches.