SQL injection (SQLi) is an attack that inserts malicious, client-supplied data (sometimes referred to as a malicious payload) into a SQL statement, in order to control a web application’s Relational Database Management System (RDBMS). The database’s SQL engine is then tricked into executing the malicious commands by supplying specially crafted string input, providing the attacker with unauthorized access to view or manipulate restricted data.
SQLi is one of the oldest, most prevalent and most dangerous of web application attack. Although injection techniques may differ, they all exploit a single vulnerability in the application — incorrectly validated or non-validated string literals that are concatenated into a dynamic SQL statement and interpreted as code by the SQL engine.
Using SQL Injection, an attacker can gain unauthorized access to customer data, personally identifiable information, trade secrets, intellectual property, and other sensitive information.
By leveraging SQL injection, an attacker can use it to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database. SQL injection can also be used to add, modify, and delete records in a database, thus affecting data integrity.
SQL injection attacks can take any of the following approaches:
- Error-based SQL injection — generates database errors to retrieve inside information about the database.
- Boolean-based SQL injection — uses contrasting SQL queries to determine if an application is vulnerable.
- Time-based SQL injection — instructs the database to wait a specified time before responding.
- Out-of-band SQL injection — sends the data directly from a database server to a machine controlled by the attacker.
SQL Injection Mitigation Methods
An effective mitigation strategy includes the following practices:
- Categorize and explain the types of SQL injection attacks
- Describe coding and design strategies for avoiding SQL injection attacks
- Use DBMS_ASSERT to validate input values
- Use code review tools to identify possible SQL injection vulnerabilities
- Apply coding standards to eliminate SQL injection vulnerabilities
Examples of effective strategies include:
- Parameterized statements: Statements that work with parameters (placeholders or bind variables) can be used instead of embedding user input into the statement.
- Enforcement at the coding level: Using ORM libraries obviates the need to write SQL code because the libraries generate parameterized SQL statements from object-oriented code.
- Escaping: A simple, although sometimes unreliable way to prevent injections is to use escape characters that have a special meaning in SQL. Typically, documentation for an SQL DBMS provides the characters that have a special meaning, providing the basis for a comprehensive blacklist of characters needing translation.
- Pattern check: A validation check for integer, float, boolean, or string parameters can determine an authentic representation for the given type. If a string must follow a strict pattern (date, UUID, alphanumeric only, etc.), it can be checked to see if it matches the pattern.
- Database permissions: Limiting database login permissions used by the web application to only essential users reduces the effectiveness of any SQL injection attacks.
Learn how Imperva solutions can help you prevent SQL injections.