SQL Injection (SQLi)

An SQL injection (SQLi) is a computer attack in which malicious code is embedded in a poorly-designed application and then passed to the backend database. The malicious data then produces database query results or actions that should never have been executed.

Example:

An application running a bank’s operations contains menus that may be used to search for customer details using data points such as the customer’s Social Security number. In the background the application calls an SQL query that runs in the database by passing the entered search values as follows:

SELECT client_name, telephone, address, date_of_birth WHERE social_sec_no=23425

In this sample script, the user enters the 23425 value in the application menu window, requesting the user to enter the Social Security number. Then, using the value provided by the user, an SQL query runs in the database.

A user with SQL knowledge may understand the application and, instead of entering a single value when asked for the Social Security number, enter the string “23425 or 1=1,” which is passed to the database as follows:

SELECT client_name, telephone, address, date_of_birth WHERE social_sec_no=23425 or 1=1

The WHERE clause is important because it introduces vulnerability. In a database, the condition 1=1 is always true, and because the query has been specified to return client Social Security number details (23425) or WHERE 1=1, the query will return all rows in the table, which was not the original intention.

The above SQL injection attack example is simple, but it shows how exploiting a vulnerability to trick the application into running a backend database query or command.

SQL injection attacks can be mitigated by ensuring proper application design, especially in modules that require user input to run database queries or commands. In the above example, the application could be changed so that it accepts one numeric value only.