SQL injection attacks are a common type of cyber-attack that can compromise the security of your website and put sensitive data at risk. In this guide, we will explain what SQL injection attacks are, how to identify them, and provide tips on how to defend against them to keep your website safe.
SQL injection (SQLi) is a type of code injection attack that uses malicious SQL statements to affect or access SQL databases, especially web applications. It can spoof identity, tamper with data, disclose information, destroy data, or become administrators of the database server. It works by inserting code into user-input variables or strings that are concatenated or stored with SQL commands and executed.
SQL injection attacks work by exploiting the lack of input validation or parameterisation in the application code. The attacker can craft inputs that include SQL syntax or keywords that alter the intended behaviour of the query. For example, the attacker can use a single quote (‘) to terminate a literal string and append additional clauses or statements to the query.
The attacker can also use comments (–) to remove parts of the query that are not favourable to them. Depending on the database server and configuration, the attacker can execute multiple statements in a single query by using a semicolon (;) as a statement separator.
Some common types of SQL injection attacks include:
Retrieving hidden data:
The attacker can modify a SQL query to return additional results that are normally hidden or filtered by the application. For example, the attacker can use a logical operator (OR) to bypass a condition or use a wildcard character (%) to perform a partial match.
Subverting application logic:
The attacker can change a query to interfere with the application’s logic. For example, the attacker can use tautology (1=1) to bypass an authentication check or use a conditional operator (CASE) to execute different actions based on a condition.
The attacker can use the UNION operator to combine the results of two or more SELECT statements into a single result. This allows the attacker to retrieve data from different database tables that are not intended to be queried by the application. The attacker needs to match the number and data types of the columns in both queries.
Examining the database:
The attacker can extract information about the version and structure of the database by using built-in functions, keywords, or system tables. For example, the attacker can use @@version, version (), or SELECT VERSION () to get the database version; INFORMATION_SCHEMA, sysobjects, or sys.tables to get the table names; and column_name, data_type, or ordinal_position to get the column details2.
Blind SQL injection:
The attacker can exploit a SQL injection vulnerability where the results of a query are not returned in the application’s responses. The attacker can use various techniques to infer information from the database by observing changes in the application’s behaviour, such as error messages, response time, or HTTP status codes. For example, the attacker can use Boolean-based blind SQL injection to send queries that result in a true or false condition and check whether the application responds differently; time-based blind SQL injection to send queries that cause a time delay and measure how long it takes for the application to respond; or out-of-band SQL injection to send queries that trigger an external interaction with a system that the attacker controls.
SQL injection attacks can be detected by various methods, such as:
Inspecting the input data for malicious SQL syntax, such as quotes, comments, operators, keywords, functions, or statements.
Monitoring the database logs for unusual queries, such as multiple statements, UNION queries, subqueries, system functions, or error messages43.
Using web application firewalls (WAFs) or intrusion detection systems (IDSs) that can block or alert suspicious requests or responses.
Performing regular vulnerability scans using automated tools or manual testing techniques that can identify and exploit SQL injection vulnerabilities.
Some best practices for preventing SQL injection attacks are: