Blogs

What is SQL injection?

SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is a technique where malicious users can inject SQL commands into an SQL statement via web page input. Injected SQL commands can alter SQL statement and compromise the security of a web application. How this works essentially is that hackers can use different inputs on login pages or any place that accepts user input (rather than a login name they would use a portion of SQL code) and that will trick the database servers into divulging whatever information the hacker wants. Here is an example of what a potential SQL injection would look like: login: ’ or ’1’ = ’1

What happens is that the application will check to see if the login that is entered exists in the user database and if it returned as true, the website will log in as that specific user. When you pass in code like the example above, it will evaluate to true and since the application doesn’t know which user to choose, it will choose the first user in the database and log that person in.

How can web developers prevent SQL injection?

Some web developers use a ’blacklist’ of words or characters to search for in SQL input, to prevent SQL injection attacks. This is not a very good idea. Many of these words (like delete or drop) and characters (like semicolons and quotation marks), are used in common language, and should be allowed in many types of input. The only proven way to protect a web site from SQL injection attacks, is to use SQL parameters. SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.