Web Vulnerabilities 101: What’s SQL Injection?

If you’re familiar with the digital or cyber world at all, you have probably seen the terms “SQL” or “SQL injection” thrown around. SQL is a simply put, a database language. In fact, SQL stands for Structured Query Language, and it was designed to operate database systems like the aptly named MySQL, Microsoft SQL Server, SQLite, or Oracle. SQL injection is an attack where SQL statements that were not meant to be there are inputted. This changes the code from what it was originally meant to do.

My name is Hold Please and I make a phone call to my credit card company to complain about my bill this month. When asked by an automated customer service system about what my name is, I say “Hold Please.”

The customer service rep holds…

This is SQL Injection, in a nutshell.

sql injection comic strip by xkcd

The injection could affect any website or web application that uses an SQL-based database (like MySQL or Oracle). Thus, the vulnerability is one of the most prevalent types of web application vulnerabilities. In fact, in 2013, SQL injections were ranked the #1 threat of the year by OWASP (Open Web Application Security Project).

SQL Injection consequences?

The above examples could be humorous. So perhaps your response is, “Well, it’s not really hurting anyone.” But let’s add on more to the story.

Instead of answering “Hold Please,” when the customer service representative asks for my name I say, “Hold Please, and throw away any record of my credit card bills.” If the customer service rep did exactly what I asked, they just lost out on my payment.

  • SQL could be used to delete important information. It could affect how a web application could function
  • Data could be altered, and could cause repudiation issues. It could even alter a balance on an account. This could compromise your company’s integrity.
  • SQL Injection can be used to get past authentication or even impersonate users and administrators

To take it one step further, let’s say I have a huge grudge against this company. So when asked my name I say, “Hold Please, and throw away any record of my credit card bills. Also, go ahead and throw out the rest of the company’s customer accounts.

  • Hence, worst case scenario: SQL Injection could be used to wipe out entire databases

As you can see, while you might say that SQL injection is a rather simple concept, it can bring with it an unending variety of dangerous consequences. Important information could be lost, data could be released, website defacement could occur, and your whole system could slow down or even cease to exist because of this injection.

Prevention of SQLi

Then how do you prevent it? SQL Injection is a common vulnerability and very widespread. But that does come with a silver lining: there are various ways to prevent the vulnerability and ensuing attacks. Here are just a few to get you started.

  • Update regularly: vulnerabilities are being found each and every day. It’s essential to have updates regularly patched.
  • Use parameterized queries: This means that your variables aren’t query strings that would accept arbitrary SQL inputs. Set parameters of given types are necessary. Parameterized queries require the developer to define all the code. It distinguishes between code and data. For example, let’s say that I would need to input a username into a field. Without parameterized queries, I could input any kind of SQL code into the field, and perhaps have the database erased, but if the parameters were set to ‘@username’ then I would only be able to put in a username without any kind of code.

Instead of saying “Hold Please” int0 the automated system, the system now requires that I input my 16-digit credit card number and then press #. This means the parameters are set to a certain number of digits and then the pound key only.

  • Web Application Firewall: This is by far one of the best things you can do in order to protect your applications. Coming in many forms (appliance, software, cloud-based), a WAF can help to filter and find malicious data. The one thing you should concentrate on, however, is what kind of method the WAF uses to detect the vulnerabilities. For example, while many companies use a pattern-based WAF that can have many false positives, Penta Security’s WAF, WAPPLES, uses a logic based engine rather than looking for a pattern. This logic-analysis engine will use 26 different search parameters to accurately analyze traffic, resulting in very low false positives.

Conclusion?

SQL injections are common, but that doesn’t mean that you shouldn’t take any precautions against it. Overall, it’s a simple concept but with an unending variety of dangerous consequences. Important information could be lost, data could be released, website defacement could occur, and your whole system could slow down because of this injection. If you run a business on a website or hold a valuable amount of data, SQL injection could spell disaster.

Make sure to protect yourself from potential loss by investing your time in these solutions to further the benefits in your future!