What is an SQL injection?
An SQL injection is a common hacking technique that involves placing malicious code within improperly formatted SQL queries. This occurs when users are asked to input information, such as usernames—only instead of providing a username, a hacker inputs an SQL statement designed to run surreptitiously. This technique allows them to access, edit, and potentially even delete a database.
Usually, there are two parts to an SQL injection attack. The first step is to research in order to determine how to effectively trick the target database. An attacker will try inputting unexpected values for the argument in the SQL statement, which can reveal vulnerabilities in the database queries. The attacker then uses the application’s responses—including the information provided in error messages—to formulate an SQL command that tricks the database.
From there, the hacker will go in for the attack. Based on the observations determined in the research step, the hacker enters an input value which the database interprets to be an SQL command rather than data. The database then runs the command.
There are a number of tools available that allow hackers to automate both the research and attack portions of an SQL injection, which means it’s vital to maintain strong and effective security protocols to prevent and protect against SQL injections.
Examples of SQL injection attacks
Let’s return to the e-commerce example from earlier, which retrieves an item description based on a given item number. A hacker executing an attack could conceivably enter an input value like the following:
ItemNumber: 105 OR 1=1
Then, the SQL statement will look like this:
SELECT ItemName, ItemDescription FROM Item WHERE ItemNumber = 105 OR 1=1
The addition of OR 1=1—a statement that the database will recognize as always being true—has the unintended effect of returning every product name and description in the database, even the ones that shoppers may not normally be allowed to access.
Here’s another SQL injection attack example that allows hackers to circumnavigate login credentials. When presented with a login field, a hacker might enter the following values:
Username: " OR ""=" Password: " OR ""="
The result will be another valid SQL statement. Because the database recognizes " OR ""="" as always being true, it will return all values for the username table, giving the hacker access to everyone’s login information. Here’s one last—and particularly dangerous— example:
SELECT ItemName, ItemDescription FROM Items WHERE ItemNumber = 105; DROP TABLE USERS
This particular statement uses the semicolon, which can be improperly filtered by a database, to create a command that has the potential to delete the entire user database.
There are many more ways that SQL injection attacks can be disruptive, but the threat illustrated by these basic examples is obvious, especially when it concerns database tables containing sensitive client information. That’s why it’s incredibly important for MSPs and database administrators to have a solid grasp and understanding on how to properly format each part of an SQL query.
For more information on SQL injection and other common threats, read through our related blog articles.