SQL Injection Attack explained, with example
What is SQL Injection?
SQL Injection is a code injection attack where hackers can insert and execute malicious SQL statements that give them the control of a web app database server. It’s the most common technique used in exploiting web application vulnerability.
How SQL Injection works?
Normally, in a web application using relational databases (RDBMS) to store data, users have to enter their information for authentication via a web form provided for them. The entered value will be inserted into a SELECT statement to query the backend database. If it’s found in the database, the access is allowed, otherwise, it’s denied.
However, some poorly-designed web forms can’t validate to block suspicious input and pass it straight to the backend database instead. Hackers will then take advantage of this vulnerability and enter their SQL statements into the entry fields and be able to view, download and alter the database.
A simple example of SQL Injection:
There’s a web form used to retrieve the personal details of a bank’s customer, including full name, phone number, address, date of birth, social security number, income. And it’s stored in a relational database, take MySQL for example.
It will require entering a Social Security Number (SSN) to the entry field to query data of a customer.
The SQL statement to query the result will be like this:
SELECT
*
FROM
customers_data
WHERE
ssn = input;
The input here is the Social Security Number which is private and one can be able to query his own data only.
Let’s say the customer input 12345
as his SSN, here’s the query:
SELECT
*
FROM
customers_data
WHERE
ssn = 12345;
The result set will be somewhat like this table:
Full Name | Phone Number | Address | Date of Birth | SSN | Income |
---|---|---|---|---|---|
John Doer | 01234567889 | 1 Infinite Loop. Cupertino, CA 95014 | 20/03/1970 | 12345 | 300000 |
But if instead of entering his SSN 123456, the customer entered the string 12345 or 1=1
to the entry field. The application doesn’t validate the input data and passes it to the backend.
Here it comes the problem.
The SQL query will be:
SELECT
*
FROM
customers_data
WHERE
ssn = 12345 or 1=1;
The condition 1=1
is always true and the SELECT query above will return all the records from the customer_data
table, which exposes personal data of all customers.
How bad can it be?
The query above is just a very simple example of how SQL Injection can exploit the vulnerability of a web application. These are some common consequences:
- Exposing private and confidential information
- Modifying existing data
- Stealing root access credentials to control the database
- Destroy the whole database or make it unavailable. Then the business will be halted.
It’s a very common attack as the flaw can be easily tested and exploited. Anyone with a decent knowledge base of SQL can be able to perform the attack, given the attractiveness of your database.
How to prevent SQL Injection?
To protect your database against SQL Injection Attacks, it’s recommended to perform simple precautions during development such as validating data types and characters accepted by input entry boxes.
Read more on best practices to prevent SQL Injection Attacks
TablePlus is a modern, native tool with an elegant UI that allows you to simultaneously manage multiple databases such as MySQL, PostgreSQL, SQLite, Microsoft SQL Server and more.