SQL injections: What they are, how to stop them

SQL injection experiences

  • The consequences are...sensitive data could be changed, deleted or leaked. Hackers can also use SQL injections to connect to systems as an authorized user without previous knowledge of the password.

  • Ways to prevent SQL injections: Avoid using interpreters, which hackers can trick into executing unintended commands. Also, avoid detailed error messages that are useful to attackers and use a standard input validation mechanism to validate all input data for length, type, syntax and business rules.

  • What a SQL injection is: An attack against a database-driven Web site in which the hacker executes unauthorized SQL commands by taking advantage of insecure code on systems connected to the Internet. SQL injections (and other injection flaws) are the second-most common Web application security vulnerability, according to the Open Web Application Security Project.

  • Once the database is infected...a hacker can read sensitive data from the database, modify database data, execute operations such as shutting the database down, and potentially issue commands directly to the operating system. US site Autoweb (pictured) recently suffered such an attack on its site but is now back up and running.

  • What a hacker does: A hacker injects the SQL query via input data from the client (aka Web browser) to the application. The goal is to inject malicious SQL language into the statement an application uses to query the database. All an attacker needs is a "web browser, knowledge of SQL queries and creative guess work to important table and field names," says security vendor Acunetix.

Show Comments