SQL Injection is a security vulnerability in which an attacker submits a database SQL command which is executed by the web site, exposing the back-end database. The attack takes place if, the web site or web application does not validate user-supplied data given with a SQL command or query which tricks the tricks the web site or web application into executing unintended commands or even changing data.
SQL Injection allows an attacker to create, read, update, alter, or delete data stored in the back-end database. It is usually used by attackers to gain access to sensitive information. An example is given below
In a web application, the user is prompted to enter the name of the city where to order is to be delivered and user enters Delhi, the query assembled by the script will be like
SELECT * FROM OrdersTable WHERE ShipCity = ‘Delhi’
However, if attacker inputs a nefarious input of
Delhi’; drop table OrdersTable–
and web site is lacking input validation then, following query will also execute as
SELECT * FROM OrdersTable WHERE ShipCity = ‘Delhi’;drop table OrdersTable–‘
The semicolon (;) denotes the end of one query and the start of another. The double hyphen (–) indicates that the rest of the current line is a comment and should be ignored. If the modified code is syntactically correct, it will be executed by the server. When database server processes this statement, database server will first select all records in OrdersTable where ShipCity is Delhi. Then, database server will drop OrdersTable.
Measures to be used to prevent SQL injection includes the following
- Validating user-given input against a set of defined rules for length, type, and syntax and also against business rules.
- Users should have the least privileges and as per their role.
- Change default username in database.
- Use strongly typed parameterized query APIs with placeholder substitution markers, even when calling stored procedures.