Latest updates and information from the online security industry.

What is SQL Injection?

What is SQL Injection?

SQL Injection is one of the methods in which hackers use to steal valuable or sensitive data from businesses. Perhaps, it is one of the most widely used application layer attack techniques used today. This type of hacking technique exploits the improper coding of websites, by inject SQL commands into input fields, such as login forms, to gain access to databases.

Essentially, the input fields on your website have the main purpose of allowing users input information into your database. Hackers exploit this functionality by inputting SQL statements into such input fields to query the database directly.

An In-depth Explanation about SQL Injection

Web applications allow real website visitors like you and I to input information to a database over the Internet. Databases are crucial to sustain modern websites; you can even say databases are the hearts of modern websites. They store the information required for websites to function. Websites rely on these databases to deliver content to the website visitors. Personal information, financial records, sensitive business data, and more can easily be found on databases and can easily be accessed by legitimate users individually through their own accounts. Although databases and web applications create an easy pathway for hackers to access valuable information, these are central technologies to running your business online.

SQL Injection is the hacking technique which attempts to input SQL commands through the input fields on your website to query the backend database. If there are vulnerabilities in your system, these SQL Injection attacks can allow hackers easy access to the database. Hackers can even manipulate your database or wipe it out.

Features such as contact forms, login pages, search pages, shopping carts, online user profiles, and other forms of dynamic content delivery, are integral to modern websites as they provide business to communicate with their customers. However, all these features are vulnerable to SQL Injection attacks, as long as these input fields are able to be exploited by hackers by using SQL statements to pass through the network security and directly query the database.

A Simple Example of SQL Injection

Probably you still do not really understand how hackers can exploit even the most basic of features on a website (e.g. contact form) to access your database and steal your data. Here is an example to better illustrate how hackers use this method.

A legitimate user would usually enter his username and password into a simple login page in order to view a secure area on the website. The secure area could be the shopping cart of an Ecommerce website, or the settings page for his social media account, etc.

When a legitimate user enters his username and password, an SQL query is created and sent to the database. Once it is verified by the database to see if the username and password combination is correct, the user is then allowed access into the secure area of the website.

Through SQL injection, the hacker has the opportunity to input specifically created SQL commands into the login form, in order to bypass it and see the valuable data in the database. The hacker is only able to access the database through this method if your website has vulnerabilities in your input areas (i.e. your inputs are not sanitized or made invulnerable). The vulnerabilities will allow the hacker to directly send SQL queries to the database. Hence, SQL Injection vulnerabilities act as an easy pathway for hackers and provide the means for a hacker to communicate directly to the database.

The technologies vulnerable to this attacks are dynamic script languages including ASP, ASP.NET, PHP, JSP, and CGI. As long as anyone as a web browser, has sufficient knowledge of SQL queries and a little bit of luck and guess work to important table and field names, he will be able to perform an SQL Injection hacking attack. Therefore, SQL Injection’s simplistic nature has fueled its growing popularity in recent years.

How is it possible for SQL queries to bypass firewalls and other security mechanisms?

Firewalls and other security mechanisms are futile against full-scale SQL Injection web attacks.

Your website has to be public for legitimate users to access it, and security mechanisms will allow public web traffic to access your website and communicate to your database (usually over port 80/443). Hence, any visitor to your website has open access to the database, as your website has to be able to return (update) the requested (changed) information.

SQL or Structured Query Language is a common computer language. This computer language provides the capability to save, manipulate, and retrieve data in a database. In fact, SQL is the only way in which websites can communicate with databases. Examples of relational databases include MySQL, Oracle, Microsoft Access, and much more, which are heavily dependent on SQL.

Here is an example of the SQL commands which can get past the login form mentioned above:

SELECT count(*)
FROM users_list_table

Simply put, this SQL command will instruct the database to discover the username and password of the legitimate user. In other words, the very login form which is supposed to protect your sensitive information can be exploited to reveal your login information to hackers.

Every website each has its own specific set of SQL queries that it will perform for legitimate functions required for your website to work. If any input field remains vulnerable to hackers, a hacker may inject additional SQL commands to manipulate the website to perform certain tasks out of its usual capabilities, thus stretching the limits of the website to access information not previously accessible.

As a result, any hacker which uses SQL Injection will have a clear path to the heart of your website regardless of the quality or quantity of network security systems you set up on your website.

Is there a possibility of SQL Injection affecting my database?

SQL Injection is one of the most popular intrusion techniques  among modern hackers. Although it is relatively easy to protect websites against SQL Injection, it is many business owners are oblivious to this threat.

Before 27th July 2006, only 9% of the total hacking incidents reported in the media were due to SQL Injection, according to the Web Application Security Consortium (WASC). More recently, it has been discovered that approximately 50% of websites are vulnerable to SQL Injection.

If you do not have in-depth technical knowledge, it could be quite complicated for you to find out whether your website is vulnerable to SQL Injection. With 50% of websites vulnerable to SQL Injection, your website has quite a high chance of being vulnerable too.

Although it is certain that hackers are able to execute SQL commands on your website, the crucial question is how your website responds to the SQL commands, and whether the hacker is able to view the sensitive information.

If your website is improperly coded to deal with such threats, then there is a high risk of your corporate data, and even customer data, being compromised.

Every database’s level of security can be manually set by a developer. Whether a hacker is able to gain access to your database depends on the level of security. Unfortunately, most databases are set to ‘read access’, so even if the intruder is unable to manipulate your database, they can still easily read your sensitive data.

What impact can SQL Injection have on my website?

As explained above, an attacker can gain easy access to your website’s database through SQL Injection. Once he finds out that your website is vulnerable, he is able to inject SQL commands through any input field on your website. This is equivalent to giving the hacker full access to execute any SQL command on your website.

Depending on the back-end database system you use, SQL Injection can lead to different levels of system access for the attacker. In some cases, it can even be possible to edit your system files or execute shell commands (i.e. command line commands) on the underlying operating system, which could spell disaster on certain SQL servers, such as Microsoft SQL Server which contains database server functions.

Unfortunately, the impact of SQL Injection can only be discovered after the hacker has stolen the data or manipulated the server, with the more expert hackers rarely getting caught.

How can I secure my database from SQL Injection attacks?

As mentioned before, your ordinary antivirus or network security mechanisms are futile against full-scale SQL Injection attacks, because these hackers attack your website through the very means any legitimate user accesses your website. They enter your database through login forms, contact forms, search bars, or any input fields on your website; which are specifically designed to allow general users to communicate with your database.

Hence, what you need is to detect and repair all your vulnerabilities on your website before any hackers can exploit them. Though patching your servers, databases, etc. might help, they will never be able to fully withstand a full-scale SQL Injection attack. But, we are able to help. If you would like to find out more about our services, please click here to find out more.