What is SQL Injection?
SQL Injection is a code injection technique to execute malicious SQL statements. SQL injection is one of the most common web application based attack. The attacker essentially attacks the database of the web application. So, for an SQL Injection to work, the website should have its database. The attacker injects a code by a technique through which they can exploit the database of a web application. The attacker injects the malicious code in SQL statements through web page input.
For example, the target is a web interface where the web application gets input data from the user and stores it in a database. Or the web application might be fetching the data from the database and displaying it to the user. In either case, a SQL query or database query gets generated on a web application and sent to the database server. The database server executes the specific query. This query returns specific information based on the query on the web interface.
In SQL Injection, the attacker manipulates the database query in order to get sensitive information. The attacker tries to get information, which they are not supposed to get in an ideal situation. an attacker manipulates a certain query by injecting malicious code in the SQL query string. The attacker tries to get the information over the database servers.
How does a SQL Injection works?
Let’s take an example to understand the working of SQL Injection. On a day-to-day basis, we come across web applications where we have to log in to web applications. You can consider the example of your G-mail account, Facebook, etc. The first function in most web interfaces is logging in. Usually, we enter the Username and Password in order to login into the web application.
SQL injection only works on the applications using the database at the backend. If we enter the credential details which get stored in the database, we successfully log in to it. The username and password credentials are stored in table format in the database. So as soon as we try to log in an SQL query gets generated. The query gets sent to the database. The query gets executed in the database server and the resulting information is sent back to the user on the web interface. Suppose the SQL query is as follows :
SELECT * FROM users
WHERE USERNAME=” ABC”
AND PASSWORD=”123”
In the query above, if the database contains a user with username ABC and password 123, the user can log in to the website. Instead, the attacker tries to inject malicious codes in the username or password fields in order to gain sensitive information from the database server.
How to perform SQL Injection?
The attacker always tries to return data by manipulating the SQL queries. Even when the attacker does not know the username and password like in the example above, they try to retrieve data. Considering the query as above, the attacker tries to manipulate the query using OR logic as follows:
SELECT * FROM users
WHERE USERNAME=” any text OR 1=1–”
AND PASSWORD=” anything”
The above query always returns true as 1=1 is always true. The attacker can successfully login without knowing the actual username and password. The attacker gets unauthorized access to the data stored in database servers. In the above SQL query, an attacker can put any credentials followed by 1=1 and similarly for the password. — represents comment in the query language, which means nothing gets executed as query after the comment sign.
How to defend against SQL Injection?
We can prevent most SQL Injection attacks by using a parameterized SQL query. We can use parameterized queries when untrusted login queries get sent to the database. The logic behind this is disallowing certain signs or words which can lead to malicious code injection.
Securing the database server from SQL injection attack depends on the way the web application is built. In the above example, the whole malicious code can be binded into a string. So even when the attacker inserts the manipulated query, the query doesn’t get executed because the code is converted into a string as a whole. After conversion even if the attacker sends a query, it doesn’t get executed due to undefined string characters.
