SQL Injection: Definition, Damage & Defense

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.
Read more
Updated: 04/21/2022 - 12:26
Time to read: 4 minutes

An SQL injection is a form of attack. A hacker steps between what should be a private conversation between a device (like a computer) and a data-storage center (like a server).

Once the hacker steps inside, that person could watch, modify, or delete almost anything. And the results could be catastrophic.

What Is an SQL Injection?

Any website relies on code. Bloggers tell us that coding will eventually become a mandatory skill. Everyone will need to do it to survive in modern society. But at the moment, people who can code use those skills to manipulate a fundamental part of running a website. 

Most modern websites run on databases, including those that:

  • Sell products. 
  • Allow logins. 
  • Publish blogs.

A site like this relies on structured query language (SQL). Programmers use this language to help the site manage and deliver data. Whenever someone interacts with a site like this, their requests and commands come to the site via SQL. A hacker, during an SQL injection attack, twists that language to a new purpose. 

A hacker could manipulate almost any SQL command, but common targets include:

  • WHERE, as you search for the location of data you'd like to select
  • UPDATE, where you're asking for a data refresh 
  • INSERT, where you're allowing for new data 
  • SELECT, where you're identifying some type of data by name or you're ordering data

A hacker might use SQL injection to:

  • Hunt. A hacker modifying SQL data could find something that you'd like to keep hidden. 
  • Access. A hacker could modify your site's logic or retrieve data within your database. That could allow someone to see all usernames and passwords, which could allow for unauthorized entry. 
  • Plan. A hacker could examine how your database is programmed and where it's stored. That research could be used in the next attack.

Two main types of SQL injection exist, which are.

  • First order. An application offers an opportunity to give data. The user enters code, which the system processes in an unsafe way. 
  • Second order. The application takes input and stores it for later (such as by placing it within a database). When the application gets a different request, that strange data is retrieved and incorporated in an unsafe way.

An SQL Injection Example

Let's walk through just one type of SQL attack so you can see how it unfolds. Developers can share lines of code, so you can see how it executes in real time. But we'll keep our definition at a high level for all of our readers. 

In this example, a known person in your database is named Johnson.

A hacker hits your website, and that person is encouraged to log in. 

The person doesn't enter the word "Johnson" in the field. Instead, the person enters a string of code, such as "OR 1 equals 1."

Your system interprets this as a command, and it will search through the entire database to resolve it. If the hacker has written strong enough code, the server could even be enticed to spit out the contents of everything in your data tables. 

The website Gab was subject to an attack just like this, and hackers gained access to all these:

  • Public posts 
  • Private, peer-to-peer posts 
  • Group posts 
  • Profile information 
  • User names 
  • Passwords 

Any person on Gab who used a similar username/password combination on another site faced even deeper risks. Hackers could have tried those credentials on other sites and gained even deeper access to their online lives. 

Can You Prevent an SQL Injection Attack?

It's quick and efficient to manage a website via databases. You don't need a robust server to handle all of your pages, and the content can change at the push of a button. But you must take care to protect a site built with this technology. 

Detect your vulnerability to SQL injection attacks by submitting your own SQL coding. Look for unusual responses that indicate your server is interpreting these items as commands. 

Then, consider developing a set of allowed characters and commands. Don't let people type in anything they'd like in your field boxes. Restrict what they can tap out to terms you know can't be considered code.  

References

Coding in 2016 is Like Reading in 1816. (October 2016). Prenda. 

5 Important Points About Database-Driven Websites. (June 2016). Business 2 Community. 

Database-Driven Websites. (October 2003). Journal of the Medical Library Association. 

Far-Right Platform Gab Confirms It Was Hacked. (March 2021). Security.

SQL Injection Prevention Cheat Sheet. OWASP.