SQL Injection

A SQL Injection is an attempt by an attacker to upload SQL commands to a website in order to manipulate data on the server. The objective is usually to steal data, destroy data, or manipulate data for purposes of fraud.

The most common method is to enter SQL commands into a web form. However, there are many other ways to inject SQL into a web server, such as appending commands to a URL, injecting them into an HTTP Post, or inserting commands in a browser cookie that is used by your website.

SQL Injections have been at the top of every OWASP Top 10 list for over 10 years. Many web applications use databases for efficient storage and retrieval of data. This means that databases contain a lot of important and sensitive data, such as usernames, passwords, dates of birth, Social Security numbers, and more.

Web applications interact with the database layer using SQL queries. Typically, these queries are performed using inputs in the web page — like a search query. However, a poorly designed web application may accept any type of SQL query in an input box intended only to accept a specific type of data, for example, the user’s first name. Attackers exploit this flaw by entering SQL queries in these input boxes to either retrieve or corrupt data stored in the database.

There are a variety of techniques to limit the ability of attackers to directly steal or corrupt your data. Most techniques are intended to minimize the ability of end-users to supply data or commands that can be interpreted by your web server or database. It is important to note that this input can come from a variety of sources including posted form submissions, URL arguments, and browser cookies.

Some of the more common SQL injection prevention techniques are listed below.

• Sanitization. The most common protection is to sanitize all user-supplied data should be sanitized in order to remove character strings that could be executed as SQL commands by the interpreter or passed directly to a SQL database. Sanitization generally involves replacing executing commands found within user data with alternative, non-executable characters.
• Filtering and validation. All user-supplied data should be validated by limiting the format, length, and other attributes of permissible inputs. Occurrences of SQL commands or other malicious code should be filtered.
• Avoid unsecured URL parameters. Avoid using URL arguments such as in an object relational model (ORM) that trigger database operations. Instead, use a secure API for all database access.
• Limiting the scope of SQL commands. Use LIMIT commands within SQL operations to minimize the disclosure of data in case a SQL injection reaches your database.

Although coding techniques like the ones listed above are important, careful coding does not guarantee protection. Third-party software libraries, subsequent code changes by other developers, and newly discovered obfuscation techniques can leave your website exposed to SQL injection attacks. Adding an automated layer of protection with a Web Application Firewall can ensure that your websites and web applications remain protected.