A SQL injection is a technique that attackers use to gain unauthorized access to a web application database by adding a string of malicious code to a database query. An SQL injection, sometimes abbreviated to SQLi manipulates SQL code to provide access to protected resources, such as sensitive data, or execute malicious SQL statements. When executed correctly, a SQL injection can expose intellectual property, customer data or the administrative credentials of a private business. It’s one of the most prevalent and threatening types of attack because it can potentially be used against any web application or website that uses an SQL-based database (which is most of them).
To understand SQL injection, it’s important to know what structured query language (SQL) is. SQL is a query language used in programming to access, modify, and delete data stored in relational databases. Since most websites and web applications rely on SQL databases to execute operating system commands, an SQL injection attack can have serious consequences for organizations.
An SQL query is a request sent to a database for some type of activity or function such as query of data or execution of SQL code to be performed. An example is when login information is submitted via a web form to allow a user access to a site. Typically, this type of web form is designed to accept only specific types of data such as a name and/or password. When that information is added, it’s checked against a database, and if it matches, the user is granted entry. If not, they are denied access.
Potential problems arise because most web forms have no way of stopping additional information from being entered on the forms. Hackers can exploit this weakness and use input boxes on the form to send their own requests to the database. This could potentially allow them to carry out a range of nefarious activities, from stealing sensitive data to manipulating the information in the database for their own ends.
Because of the prevalence of web sites and servers that use databases, SQL injection attacks are one of the oldest and most widespread types of cyber assault. Several developments in the hacker community have increased the risk of this type of attack, most notably the advent of automated SQL injection programs. Freely available from open source developers, automated SQL injection programs allow cybercriminals to automatically perform attacks in only a few minutes by allowing them to access any table or any column in the database with just a click and attack process.
