Home  »  Blog  »  What is SQL Injection (SQLi) and How to Prevent It?

What is SQL Injection (SQLi) and How to Prevent It?

Author

Shudarshan Rai

Published

Jun 18th, 2019

Categories

Security

What is SQL Injection (SQLi)

SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Wiki help

Injection occurs when the user input is sent to an interpreter as part of command or query and trick the interpreter into executing unintended commands and gives access to unauthorized data.

How attackers exploit SQL?

An attacker can inject SQL control characters and command keywords (example like single quote (‘), double quote (“), equal (=), comment (- -), etc.) to change the query structure. Using these control characters with common SQL commands (example like , SELECT, FROM, DELETE, etc.) enables access to control a database server behind a web application. 

A successful attack requires a Web application to include malicious code from an attacker in a SQL statement. The malicious code usually comes from an untrusted source. In some cases, internal system databases can also be the source of malicious data. When malicious SQL statements execute against a backend database, control a database server behind a web application. an attacker can modify or access the database. This depends how the attacker crafts the malicious data.

Implication

Attackers can use SQL Injections to find the credentials of other users in the database. They can then impersonate these users. The impersonated user may be a database administrator with all database privileges.

  1. An attacker can inject malicious content into the vulnerable fields.
  2. Sensitive data like User Names, Passwords, etc. can be read from the database.
  3. Database data can be modified (Insert/Update/ Delete).
  4. Administration Operations can be executed on the database
      5. Vulnerable Objects:

      -Input Fields
      -URLs interacting with the database.

      Examples

      Here is SQL injection demonstration on login page without having valid credentials.Here only username is available and password is not available.

      Username: john
      Password: 1=1′ or pass123

      SQL query created and sent to Interpreter as below

      SELECT * FROM Users WHERE User_Name = john AND Password = 1=1′ or pass123;

      SQL injection demonstration with SQL commands in login

      How to Prevent It

      -White listing the input fields.
      -Avoid displaying detailed error messages that are useful to an attacker.
      -Don’t use dynamic SQL – don’t construct queries with user input.
      -Reduce your attack surface.
      -Continuously monitor SQL statements from database-connected applications.

      Read more..What is a Website Vulnerability and How Can it be Exploited?

Shudarshan Rai

The author prefers to keep secret.

Further readings:

Start a discussion