SQL, or Structured Query Language, is a programming language used to interact with databases. Most modern websites or applications retrieve, manipulate and send data to databases, which often utilizes SQL to do so. A SQL INJECTION is a malicious attack where code is injected into database queries which can result in the compromising of data and content.
The term “SQL injection” started making its way into discussions around the late 1990s. Since then it has prevailed as one of the most effective forms of malicious attacks, since any web application with a database can be targeted. Often attackers will couple their SQL injections with another malicious attacks such as a Distributed Denial of Service (DDoS) or a DNS attack.
SQL injections are rather easy to perform because they typically occur by way of user input. User input, in this case, refers to controls which lead to simple points of access to a web application’s database. Attackers have learned of ways to game systems by entering the wrong types of characters, such that they ping the database to perform unauthorized actions. This is done by inputting certain special characters, or using characters in an input field that don’t belong but are able to be bypassed. The latter typically occurs due to the lack of testing a web application prior to launching it.
But there are also cases in which the attacker will not have such “direct access” to a database and will proceed blindly through an onslaught of database requests. This means they will not directly see the results of their malicious queries, thus the process might take longer. But once an entry point is discovered, they are able to double-down and even automate the process to achieve their end results.
These types of hacks are so popular (even to this day) that many big companies with data-driven applications are still vulnerable to it. In 2009, NASA had its web applications compromised when a hacker gained administrative access of their databases. A year prior, Heartland Payment Systems lost millions of sensitive credit card data because of a SQL injection. And in 2016, a man in Florida used a SQL injection to hack into his county’s election website.
Most recently, credit giant Equifax lost hundreds of millions of dollars in sensitive data because of a SQL injection. And WordPress websites are notorious for falling victim to SQL injections—primarily because of its default ‘wp_’ table prefix.
As common and effective as SQL injections are, it is not impossible to protect yourself against these attacks. The following are some general rules for doing so:
Limit the amount of database access by way of user input.
Limit the span of user input by setting certain parameters on the back end of the database.
Instead of using SQL code exclusively, one might utilize object relational mapping (ORM) to add another layer of separation.
Create a blacklist of commonly used characters in SQL injections. Malicious queries, in this scenario, will have a more difficult time being executed.
Change any default table prefixes (i.e., the WordPress ‘wp_’ table prefix) to something unique and not easily guessed.
SQL injections remain a staple in the war against cybersecurity and are undoubtedly here to stay. Major companies are still being attacked and will continue to be until there are better design principles and defense implementations. Until then, the best practices are to remain diligent while trying to preempt any attacks through good defense strategies.