SQL injection has been around for at least 20 years, but it is no less powerful or dangerous than any other attack we have covered so far. It is designed to exploit flaws in a website or web application. The attack works by inserting code into an existing line of code prior to its being executed by a database. If SQL injection is successful, attackers can cause their own code to run. In the real world this attack has proven dangerous because many developers are either not aware of the threat or don’t understand its seriousness and in some cases don’t even know how to defend against it. Developers should be aware of the following:

• SQL injection is typically a result of flaws in the web application or website and is not an issue with the database.
• SQL injection is at the source of many of the high-level or well-known attacks on the Internet.
• The goal of attacks of this type is to submit commands through a web application to a database in order to retrieve or manipulate data
• The usual cause of this type of flaw is improper or absent input validation, thus allowing code to pass unimpeded to the database without being verified.

From the attacker’s side, vulnerability to SQL injections is very easy to detect. Visiting a suspect site and getting it to generate error messages can indicate a potential vulnerability to this type of attack. In addition, the availability of automated and effective tools has increased, setting the bar even lower for successful execution of the attack. Finally, this type of attack is very attractive for an attacker to perform because of the value of the information that can be obtained. Information, especially personal information, can be sold on the black market for considerable amounts of money depending on what it is.

SQL injection is achieved through the insertion of characters into existing SQL commands with the intention of altering the intended behavior. The following example illustrates SQL injection in action and how it is carried out. The example also reveals the impact of altering the existing values and structure of a SQL query.

In the following example, an attacker with the username link inserts their name after the = sign following the WHERE owner, which used to include the string ‘name’; DELETE FROM items; — for itemName, into an existing SQL command, and the query becomes the

following two queries:

SELECT * FROM items

WHERE owner = ‘link’

AND itemname = ‘name’;

DELETE FROM items;–

Many of the common database products such as Microsoft’s SQL Server and Oracle’s Siebel allow several SQL statements separated by semicolons to be executed at once. This technique, known as batch execution, allows an attacker to execute multiple arbitrary commands against a database. In other databases, this technique will generate an error and fail, so knowing the database you are attacking is essential.

If an attacker enters the string ‘name’; DELETE FROM items; SELECT * FROM items WHERE ‘a’ = ‘a’, the following three valid statements will be created:

SELECT * FROM items

WHERE owner = ‘link’

AND itemname = ‘name’;

DELETE FROM items;

SELECT * FROM items WHERE ‘a’ = ‘a’;

A good way to prevent SQL injection attacks is to use input validation, which ensures that only approved characters are accepted. Use whitelists, which dictate safe characters, and blacklists, which dictate unsafe characters.