SQL injection: Definition
An SQL injection is one of the most common web hacking techniques. There are a few different variations of SQL injections, but the commonality is a cyber-attack in which malicious code is embedded into a vulnerable application or webpage and then passed to the backend database to view, alter or delete private information.
SQL stands for Structured Query Language, which is a query language designed to manage data in regional databases by issuing commands.
This nature of cyber-attack can give the hacker complete access to view, modify or delete the data held within the database that has been compromised. This information may include sensitive company data, customer details and more, resulting in a severe data breach.
With this data, hackers can go on to conduct identity theft, gain access to bank accounts and blackmail businesses. Therefore, a successful SQL injection could lead to grave consequences for a business, including loss of customer trust, a breach of GDPR, and significant financial implications.
How SQL injection works
SQL injection hackers usually gain access to a web application or web page’s backend database via a log-in form. They do this by entering their SQL commands directly into entry fields on the web application or web page, e.g. log-in fields or a search box.
If a database is not using strong security practices, a hacker can enter a script composed of unfamiliar characters and phrases into the entry fields with the intent of bypassing the log-in process. The language confuses the system and grants access, leaving the hacker with control of the data held within the backend database.
What can an SQL injection do?
Effects from a successful SQL injection attack can include: • Duplication of an entire database, or parts of it • Modification or deletion of a database • Theft of sensitive information • Execution of operating system commands that provide the hacker with access to other assets on the same network as the hacked database
How to know if your web application or page is vulnerable to SQL injection
The first step towards protecting your databases from SQL injections is establishing whether or not they are vulnerable to this nature of attack. One way to find out is to attempt your own attack by constructing code snippets and injecting them into your system to see if you can gain access. Alternatively, you can take the simpler option and use an automated SQL injection tool to do the work for you. These tools can be used to determine what type of database you are using and identify vulnerabilities.
Types of SQL Injection
There are a few different variations of an SQL injection attack. Here are the key types to be aware of:
In-band SQL injection – This is the simplest and most common form of SQL injection attack. When using this method, hackers use error messages to gather the information they need to formulate a query. The hacker is able to use the same communication channel to launch the attack and gather their results.
Error-based SQL injection – This method uses error messages to obtain information about the structure of the database. It’s important to make error messages generic or they can offer hackers too much information, such as table names and content.
Blind SQL injection – When using this method, the hacker is unaware of whether the web application or page is vulnerable or not. It does not display any error messages, so the hacker goes in ‘blind’ and has to look for other subtle clues in behaviour to identify avenues for attack, including HTTP responses, blank web pages and response time.
Out-of-band SQL injection – This method is a bit more complex and is usually adopted if the hacker can’t gain access to a database with a single query-based attack. Instead, the hacker will craft SQL statements which trigger the database system to create a connection to an external server the attacker controls. From here, they can gain access to the data.
SQL injection example
In the case that a hacker executes SQL injection via a log-in field, the hacker can subvert application logic by manipulating the SQL query. Below is an SQL injection attack example.
If a user entered their username ‘joebloggs’ and their password ‘password123’, the following query would be performed:
SELECT * FROM users WHERE username = 'joebloggs' AND password = 'password123'
If the details match those of a user in the database, access is granted, otherwise it is rejected.
Using this code, an attacker could gain access by using the SQL comment sequence ‘- -‘ to remove the password requirement from the ‘where’ clause in the query. The double-dash sequence ‘- -‘ is a comment indicator in SQL that means that the rest of the query is interpreted as a comment and would therefore remove the need for a password to be entered.
For example, they can submit the username ‘administrator’, ‘- -‘, and a blank password field and get the following query:
SELECT * FROM users WHERE username = 'joebloggs'-- AND password = ' '
This query doesn’t require a password, so it registers the username ‘joebloggs’ and successfully logs into the database.
Is SQL injection still a threat?
SQL injections may have been around for over a decade, but the method is still very much a threat today and happens frequently. There are fewer documented cases of successful attacks in recent years, but website owners and database managers still need to adopt best practice to keep their systems safe.
This being said, SQL injections should be relatively easy to avoid if you’re using modern, trusted technology with adequate security procedures in place.
SQL injection prevention
Failing to have adequate security measures in place on your web page or application is essentially the same thing as leaving your backdoor open for a burglar to enter. There are a few preventative measures that you could take, to boost the security of your database and fortunately they are relatively simple. Below are a few pointers on how SQL injections can be prevented:
- Update and patch any vulnerabilities in your databases that a hacker may be able to exploit using SQL injection. You may also want to consider downloading a web application firewall to filter out malicious data.
- Use input validation for all user-submitted data. This can be done via a database management system to ensure that any dangerous characters such as the apostrophe are not passed to a SQL query in data. Also consider sanitising all data by filtering it by context. For example, email address fields should not allow any characters that do not appear in email addresses, phone numbers should only allow digitals, etc.
- Limit the privileges that you assign to accounts. Don’t use an account with administrator functionality unless it is truly necessary, as this could provide access to the entire system if a hacker were to successfully carry out an SQL injection attack.
- Don’t use dynamic SQL (a technique that enables you to build SQL statements dynamically at runtime). Instead, use prepared statements, parameterised queries and stored procedures.
- Secure your application or web page accordingly by encrypting or hashing passwords and other confidential information.
- Consider purchasing cyber insurance. While this is not a prevention method, having cyber insurance can help to cover the cost of data recovery, business interruption, GDPR investigations, reputation protection and extortion.
Hiscox cyber and data risks insurance is created to support and protect your business if it experiences a cyber attack or data breach. As part of the package, customers receive access to the Hiscox CyberClear Academy- An online interactive suite of cyber security training modules, designed to raise cyber threat awareness and data protection. For more information on the most common cyber threats and how to prevent them, read the rest of our cyber FAQs.
Get a cyber insurance quote online
- Covers costs and lost income linked to a cyber incident
- Free 24/7 access to experts that will get you back up and running fast
- Includes GCHQ certified training to help protect your business against cyber threats
Need more help? Speak to our UK-based experts. Call us on 0800 2800 351
Mon - Fri, 8am - 7pm, Sat, 9am to 2pm, excluding bank holidays. Calls are free from a landline and some mobile contracts