SQL Injection (SQLi) Attacks and How To Prevent Them

Risk Factors

Likelihood

Complexity

Business Impact

SQL Injection (SQLi)

What Is SQL Injection (SQLi)?

A SQL injection is a common hacking technique which can compromise a database. By "injecting" an SQL command or code fragment into a legitimate data entry field (like a password field), attackers can use SQL to communicate directly with a database. This works because SQL does not differentiate between the control and data planes.

A successful exploit can trick the database into sharing restricted data, modify data, execute administration operations on the database (like shutting down a DBMS such as Db2), recover the content of a given file present on the DBMS file system, and even issue commands to the operating system.

SQLi is a type of code injection attack.


Protection Against SQLi Attacks

Here are some ways to protect against SQL injection attacks:

  1. Use parameterized queries, validate user-submitted input, and use stored procedures
  2. Avoid dynamic SQL
  3. Block known malicious input
  4. Sanitize inputs

Limiting the ways that queries are made to the database can close loopholes that attackers use. Stored procedures combat SQL injection attacks by limiting the types of statements that can affect the database.

One approach is to enforce strict input validation by only accepting characters from a list of safe values (also known as whitelisting). Another approach rejects any input that matches a list of potentially malicious values (also called blacklisting).

Blocking everything except approved entries can be very effective, but is difficult to implement and requires continual maintenance. Attempting to block malicious inputs is generally seen as an ineffective technique because there are many ways to fool the filters looking for malicious code. For example, attackers can:

  • Use upper and lowercase letters to bypass case-sensitive filters
  • Use the escape character to bypass filters
  • Use different types of encoding to avoid detection

These are just a few examples of the many methods used to try and bypass these types of defenses.


SQL Injection History

Jeff Forristal, under the alias Rain Forrest Puppy, is credited with being the first to document SQL injection with his posts in Phrack Magazine in December of 1998. At the time, he was writing about how to hack into Windows NT servers when he discovered that inputting certain commands could force a server to give up information shared on it. Fifteen years after its initial disclosure, SQLi remains among the top vulnerabilities.