Introduction to SQL Injection
- SQL injection is a vulnerability or a technique that might destroy the database of a website or a web application. It is one of the most widely used web-based attacks.
- The major objective of an SQL injection is to get access to the database of a website. So, for an SQL injection to work, one needs a web application that is connected to a database.
- Since, the database has all the data including the administrator password i.e., the login password of the owner, the attacker of the website can access the admin page to edit the website by filling a web form.
- The web-form includes user name and passwords. When the user inputs something in the input field of the web form, the SQL SELECT query is implemented on the database.
- The system tries to match the inputs i.e., the username and the password entered by the user with the username and password which is already stored in the database. If both the inputs are matched, then user gets the access else the access will be denied to the user.
- There are certain websites which do not have the mechanism to block any other input. Such websites are vulnerable to SQL injection. In this case, any SQL query can be fed as input and the system will execute it.
- For example, the attacker can input a query to download the entire database, delete the database, modify the database and make the condition always true. If a password condition is made always true, so no matters if any password is entered. For the password, system access the ones which are stored in the database, but if a query is made to drop the password table in the database, the system will start to take any password. In this way, the attacker can get access to the database easily. Now he can know all the passwords of the people logged in the website, the various tables and their contents, the internal structure of the website and any other information related to the website.
- This method is called SQL injection in which you inject a query into the database to manipulate it and gain unauthorized access to it. This is the most dangerous type of website attack for an SQL based database.
- One way to prevent such attacks is to block the unnecessary inputs other than the usernames and passwords.
- SQL injection commands are made at run time. So avoid dynamic input commands. Prevent the database with web application firewall. Also, do not reveal any confidential information regarding the website to anyone.
- Websites can suffer huge data and financial losses due to such SQL attacks.
Suppose, there is a web application with a database connected to it. This web application might be taking input from the user and storing the information onto the database or fetching the data from the database and displaying it to the user.
In either cases, there is an SQL query or database query that is generated on the web application which is send to the database and this query is executed on the database and relevant information is returned back to the web application. This is how the normal scenario works.
So, when the attacker uses SQL injection, he tries to manipulate this database query in order to make it do something that it is ideally not supposed to do. So, the attacker changes the SQL query, manipulates it, he injects some malicious string in the SQL query and then make it do something in unauthorized way. So now the database query is manipulated by the attacker, then this malicious query is sent to the database, it is executed there and the relevant results are returned.
This is known as SQL injection. SQL injection is a code injection technique used to execute malicious and dynamic SQL statements. SQL attacks are something that the attacker uses to take control over database servers.
How to prevent SQL injection
- Avoid using dynamic SQL
The inputs provided by the user should not be directly placed into the SQL query that will be operated on the database. Instead of using dynamic SQL, one should make use of stored procedures, prepared statements and parameterized queries as they are safer as compared with dynamic SQL queries.
- User provided inputs must be sanitized
The type of data which will be provided by the user must be properly matched and verified with the expected type.
- Sensitive data should not be in plaintext
Before storing the confidential data such as passwords into the database, it should be properly encrypted with hashes. Salting must be applied to the encrypted hashes to provide an extra layer of security to the confidential data.
- Database errors should not be displayed directly to the user
Error information displayed to the attacker might help him to get information about the database.