What Is SQL Injection (SQLi)?
A SQL injection is a common hacking technique which can compromise a database. By "injecting" an SQL command or code fragment into a legitimate data entry field (like a password field), attackers can use SQL to communicate directly with a database. This works because SQL does not differentiate between the control and data planes.
A successful exploit can trick the database into sharing restricted data, modify data, execute administration operations on the database (like shutting down a DBMS such as Db2), recover the content of a given file present on the DBMS file system, and even issue commands to the operating system.
SQLi is a type of code injection attack.
Protection Against SQLi Attacks
Here are some ways to protect against SQL injection attacks:
- Use parameterized queries, validate user-submitted input, and use stored procedures
- Avoid dynamic SQL
- Block known malicious input
- Sanitize inputs
Limiting the ways that queries are made to the database can close loopholes that attackers use. Stored procedures combat SQL injection attacks by limiting the types of statements that can affect the database.
One approach is to enforce strict input validation by only accepting characters from a list of safe values (also known as whitelisting). Another approach rejects any input that matches a list of potentially malicious values (also called blacklisting).
Blocking everything except approved entries can be very effective, but is difficult to implement and requires continual maintenance. Attempting to block malicious inputs is generally seen as an ineffective technique because there are many ways to fool the filters looking for malicious code. For example, attackers can:
- Use upper and lowercase letters to bypass case-sensitive filters
- Use the escape character to bypass filters
- Use different types of encoding to avoid detection
These are just a few examples of the many methods used to try and bypass these types of defenses.