SQL injection attacks are one of the oldest web application vulnerabilities –having been discussed since the late 1990s – but they still remain relevant today. This explainer outlines what they are, how they work, and how you can prevent them.
An SQL injection, sometimes abbreviated to SQLi, is a type of vulnerability in which an attacker uses a piece of SQL (structured query language) code to manipulate a database and gain access to potentially valuable information. It's one of the most prevalent and threatening types of attack because it can potentially be used against any web application or website that uses an SQL-based database (which is most of them).
To understand SQL injection, it’s important to know what structured query language (SQL) is. SQL is a query language used in programming to access, modify, and delete data stored in relational databases. Since the vast majority of websites and web applications rely on SQL databases, an SQL injection attack can have serious consequences for organizations.
An SQL query is a request sent to a database for some type of activity or function such as query of data or execution of SQL code to be performed. An example is when login information is submitted via a web form to allow a user access to a site. Typically, this type of web form is designed to accept only specific types of data such as a name and/or password. When that information is added, it's checked against a database, and if it matches, the user is granted entry. If not, they are denied access.
Potential problems arise because most web forms have no way of stopping additional information from being entered on the forms. Attackers can exploit this weakness and use input boxes on the form to send their own requests to the database. This could potentially allow them to carry out a range of nefarious activities, from stealing sensitive data to manipulating the information in the database for their own ends.
Because of the prevalence of web sites and servers that use databases, SQL injection vulnerabilities are one of the oldest and most widespread types of cyber assault. Several developments in the hacker community have increased the risk of this type of attack, most notably the advent of tools to detect and exploit SQL injection. Freely available from open source developers, these tools allow cybercriminals to automatically perform attacks in only a few minutes by allowing them to access any table or any column in the database with just a click and attack process.
A successful SQL injection attack may show no symptoms at all. However, sometimes there are outward signs, which include:
Depending on how they gain access to back-end data and the extent of the potential damage they cause, SQL injections fall into three categories:
This type of SQLi attack is straightforward for attackers since they use the same communication channel to launch attacks and gather results. This type of SQLi attack has two sub-variations:
Inferential SQLi (also known as Blind SQL injection):
This type of SQLi involves attackers using the response and behavioral patterns of the server after sending data payloads to learn more about its structure. Data doesn’t transfer from the website database to the attacker, so the attacker doesn’t see information about the attack in-band (hence the term ‘blind SQLi). Inferential SQLi can be classified into two sub-types:
This type of SQL attack takes place under two scenarios:
A successful SQL injection attack can have serious consequences for a business. This is because an SQL injection attack can:
The cost of an SQL injection attack is not just financial: it can also involve loss of customer trust and reputational damage, should personal information such as names, addresses, phone numbers, and credit card details be stolen. Once customer trust is broken, it can be very difficult to repair.
Over the years, many organizations have fallen victim to SQLi. Some high-profile examples include:
Fortnite is an online game with over 350 million users. In 2019, a SQL injection vulnerability was discovered which could let attackers access user accounts. The vulnerability was patched.
An SQL injection vulnerability was found in Cisco Prime License Manager in 2018. The vulnerability allowed attackers to gain shell access to systems on which the license manager was deployed. Cisco has since patched the vulnerability.
In 2014, security researchers announced that they were able to breach Tesla’s website using SQL injection, gaining administrative privileges and stealing user data in the process.
Frequently asked questions about SQLi include:
An SQL injection attack uses malicious SQL code for backend database manipulation to access private information. This information may include sensitive company data, user lists or customer details. SQL stands for ‘structured query language’ and SQL injection is sometimes abbreviated to SQLi.
SQL injection attacks allow attackers to spoof identity, alter existing data, disclose data on the system, destroy data or make it otherwise unavailable, and become administrators of the database server. SQL injection attacks can cause serious damage to businesses, including loss of customer trust if confidential user data is breached.
Because they are relatively easy to implement, and because the potential reward is great, SQL injection attacks are not uncommon. Statistics vary, but it’s estimated that SQL injection attacks comprise the majority of attacks on software applications. According to the Open Web Application Security Project, injection attacks, which include SQL injections, were the third most serious web application security risk in 2021.
For businesses concerned about SQL injection prevention, key principles to help defend websites and web applications include:
Generate awareness about SQLi-based risks within the team responsible for your web application and provide necessary role-based training to all users.
Keep user input in check:
Any user input used in an SQL query introduces risk. Address input from authenticated and/or internal users in the same way as public input until it is verified. Give accounts that connect to the SQL database only the minimum privileges needed. Use whitelists as standard practice instead of blacklists to verify and filter user input.
Use latest versions:
It’s important to use the latest version of the development environment to maximize protection, since older versions may lack current safety features. Be sure to install the latest software and security patches when available.
Continuously scan web applications:
Use comprehensive application performance management tools. Regularly scanning web applications will identify and address potential vulnerabilities before they allow serious damage.
Use a firewall:
A web application firewall (WAF) is often used to filter out SQLi, as well as other online threats. A WAF relies on a large and frequently updated list of signatures that allow it to filter out malicious SQL queries. Usually, the list holds signatures to address specific attack vectors and is regularly patched in response to newly discovered vulnerabilities.