What is an SQL injection?
All you need to know about this common hacking technique, and how to prevent it
If you are considering creating a website or an application, it’s important to know the potential threats you may encounter. Knowing these vulnerabilities beforehand will help you identify and prevent them.
One of the most common hacking techniques is SQL injection. This technique allows a hacker to attack or manipulate databases by inserting malicious SQL instructions.
SQL injections are a common threat for most website and application managers. Our guide walks you through this widespread threat so you can protect your own applications from it.
What is a SQL injection?
Databases are critical elements for nearly every website and application. Databases store the information that digital applications require to work properly. For example, your username and password are stored in a database when you sign in to a website. Then, every time you log in, the application makes a query to its database to authenticate your credentials. The standard programming language to interact with databases is SQL.
SQL injection is a way to attack applications and manipulate the underlying databases by injecting malicious SQL statements. SQL injections allow an attacker to access data that aren’t normally available for users.SQL injection is one of the most popular attacks because it is relatively easy to implement.
Hackers may send SQL injections for several purposes, including:
- Accessing sensitive data, such as:
- passwords,
- credit card details
- patents
- Manipulating databases, such as inserting, updating, and deleting data
- Modifying permissions to access other functionalities of an application
- Shutting down a database
- Deleting a table or the complete database
What is the impact of a successful SQL injection?
SQL injection attacks can have devastating effects on both the affected users and the company under attack.
Impact of SQL injection on users
Although companies are the common target of SQL injections, users can also be affected. This happens when a SQL injection results in a breach of personal data. SQL injection attacks can have serious consequences for people, including:
- Loss of money. If attackers access financial data like credit card details, they could transfer money from a user’s account.
- Loss of privacy. If attackers access and disclose sensitive data, such as health-related data, user privacy can be compromised.
- Identity theft: When a hacker controls a database, they can obtain the personal or financial information of users and use their identity to commit fraud.
Impact of SQL injection on companies
A SQL injection normally results in a data breach. When this happens, the affected company must be prepared to face the damage to its public image and minimize it.
Below you can find some of the damages companies can suffer from an SQL injection:
- Sabotage. Severe SQL injections can lead to attackers having full control of a company database. If critical elements of the software are damaged or destroyed, the company may not be able to continue its operations.
- Data theft. Many SQL injections are aimed at stealing sensitive data, such as trade:
- secrets,
- privileged information
- protected intellectual property
- user information
- Loss of reputation. After suffering the effects of an SQL injection, it can be difficult for a company to regain the trust of its customers and the general public.
An example of SQL injection
Consider a website that displays coding courses. To display all the courses on web development, the course category is passed as the GET parameter in the URL:
https://www.sololearn.com/course?category=web_development
This application then creates the following SQL query to get the data of the requested course category from the database:
SELECT * FROM Courses WHERE category = 'web_development' AND published = 1 '
The restriction published = 1 is used to show only the courses that are published. Those courses that are not found have a value of 0.
In this example, the application does not implement any defence. As a result, an attack can be built by modifying the URL parameter:
https://www.sololearn.com/course?category=web_development'--
Which would return the following query
SELECT * FROM Courses WHERE category = 'web_development' --' AND published = 1';
With the comments indicator (–), we indicate that the rest of the query is interpreted as a comment. The rest of the query won’t be executed, so the application will show all the courses, both published and unpublished.
If an attacker would also see all the courses irrespective of the category, he could modify the URL as follows:
https://www.sololearn.com/course?category=web_development'+OR+1=1--
The resulting SQL query would be:
SELECT * FROM Courses WHERE category = 'web_development' OR 1 = 1 --' AND published= 1;
This is a simple example to demonstrate how the query can be manipulated to retrieve hidden data.
Want to learn more about SQL statements? Check out our free SQL Tutorial now!
How to prevent SQL injections
There are a number of measures you can implement to prevent SQL injection attacks.
First, parameterized queries can be used instead of embedding input values in SQL queries. Parameterized queries do not concatenate the variables to the SQL query. Rather, they use a specific syntax to pass a default set of parameters to the SQL query.
A common way to implement parameterized queries is Object-Relational Mapping (ORM). ORM is a technique that allows querying and manipulating data from a database using an object-oriented paradigm. With ORM, database tables are converted into entities to greatly simplify the programmer’s task and speed up application development.
Another measure to prevent SQL injections is eliminating special characters. SQL injection attackers usually use special character sequences to infiltrate a database. Depending on the programming language you are using, there will be different functions available. For example, in PHP it is usual to escape parameters using the mysqli_real_escape_string() function before sending the query to MySQL.
You can also use a Web Application Firewall (FAW). A WAF helps protect web applications by filtering and monitoring HTTP traffic between an application and the Internet. By deploying a WAF in front of a web application, a shield is placed between the web system and the Internet.
Finally, setting the correct database permissions is also a common way of reducing the risk of SQL injection attacks. This is achieved by limiting the permissions of the database login used by the application to only what is needed (for example, letting it only run SELECT queries on the specific database table).
Conclusion
Now that you know the basics, are you worried that your SQL skills might not be adequate to stop an attack? Don’t worry! The SoloLearn SQL Fundamentals course can help you fill any gaps in knowledge, with targeted tutorials on SQL essential elements and quizzes and challenges to test your skills before working on a live application. Give it a try!