SQL Injection

SQL Injection is a code penetration technique that might cause loss to our database. It is one of the most practiced web hacking techniques to place malicious code in SQL statements, via webpage input. SQL injection can be used to manipulate the application's web server by malicious users.

SQL injection generally occurs when we ask a user to input their username or userID. Instead of a name or ID, the user gives us an SQL statement that we will unknowingly run on our database. 


demoUserId = getRequestString("UserId");
demoSQL = "SELECT * FROM users WHERE UserId =" + demoUserId;

Output

Dynamic SQL query created based on user input.

Types of SQL Injection Attacks

SQL injections can do more harm than bypassing login algorithms. Some of the SQL injection attacks include:
Updating, deleting, and inserting data: An attack can modify cookies to poison a web application's database query.
Executing commands: It can download and install malicious programs such as Trojans.
Exporting valuable data: Such as credit card details, email, and passwords to the attacker's remote server.
Getting user login details: Web applications typically accept user input through a form, and the front end passes the user input to the back-end database for processing.


Example of SQL Injection

Consider an application based on employee records. An employee can view only their own records by entering a unique and private Employee ID. If the user enters the following in the input field: 236893238 or 1=1, it will translate to: 


SELECT * from EMPLOYEE where EMPLOYEE_ID == 236893238 or 1=1

Output

All rows from the EMPLOYEE table will be retrieved.

This query compromises all employee data. Similarly, malicious users can use the query SELECT * from EMPLOYEE where (Employee_name = " " or 1=1) AND (Password=" " or 1=1) to retrieve sensitive user information.

SQL Injection Based on Batched SQL Statements

Several databases support batched SQL statements—a group of two or more SQL statements separated by semicolons. For example: 


SELECT * From Employee; DROP Table Employee_Add

Output

Deletes the Employee_Add table after retrieving data from Employee table.

How to Detect SQL Injection Attacks

Detecting SQL injection is an essential component of mitigating the risk. A Web Application Firewall can detect and block basic SQL injection attacks. However, we should not rely on it as the sole preventive measure. Intrusion Detection Systems (IDS) can be network-based or host-based and can monitor connections and web server logs to flag suspicious activities.


Impact of SQL Injection

SQL injection allows intruders to retrieve sensitive user data, such as credit card information, and even access protected areas like admin portals. Intruders can also delete data, compromising entire servers, which is particularly dangerous for applications such as online shopping and bank transactions.


How to Prevent SQL Injection Attacks

Validate User Input: Use authentication to predefine length, input type, and fields.
Restrict Access Privileges: Define data access limits for users.
Avoid Admin Accounts: Do not use system administrator accounts for running queries.
Use Parameterized Queries: Avoid building SQL queries dynamically.