SQL injection (SQLi) is a cyberattack where malicious SQL code is injected into vulnerable web applications. This allows attackers to interfere with database queries and manipulate them to gain unauthorized access to the server. Depending on the command, a successful SQL injection attack can have devastating results, leading to loss of revenue and reputation for businesses.
SQL injection is one of the top vulnerabilities because of its impact and the several ways to identify and exploit servers and applications. However, developers have made several improvements to detect and defend against SQLi attacks.
Featured PartnersFeatured Partners: Cybersecurity Software
eSecurity Planet may receive a commission from merchants for referrals from this website
How Does SQL Injection Work?
Structured Query Language (SQL) is a standardized language used to access and manipulate databases to build customizable data views for each user. If the application and code aren’t properly sanitized, malicious code can be injected into input sections and form fields of websites and applications.
SQL injection occurs when attackers identify and insert or “inject” malicious SQL queries into unsecure input fields like username and password fields or search bars. The query is sent to the backend database, which then accepts the code as a legitimate request and returns the information to the requester.
Successful SQLi attacks can result in gaining unauthorized access, obtaining sensitive information like credentials, and manipulating data like adding or removing data, or deleting files and folders:
- Steal credentials: Attackers can use SQLi queries to access and steal usernames and passwords.
- Access websites and applications: Login fields like user and password can be bypassed with a SQL query — such as ‘OR 1=1 — — in the username and password fields. This code would trick the application into executing a query that always returns as true, allowing the attacker to impersonate a valid user and access the application.
- Alter data: Applications vulnerable to SQL injection can allow malicious actors to access data in the database, including sensitive information like health and financial data. If the attacker has elevated privileges from the SQLi exploit, they can add, modify, or delete data.
SQL injection can come in several forms and has been one of the most exploited vulnerabilities in recent history. However, there has also been significant progress in finding the errors in the application’s code and preventing it from being exploited.
Types of SQL Injection Attacks
SQL injection attacks come in many forms. From the common types like error-based, union-based, blind SQLi, and the uncommon out-of-band attacks:
- Error-based SQL injection: Error-based SQLi relies on attackers gathering information about the database by analyzing the error messages thrown by the database. In some cases, error messages provide valuable insight for malicious actors and assist them in enumerating vulnerable databases.
- Union-based attacks: Union-based SQLi is a SQL injection technique that uses the UNION SQL operator to combine the results of multiple SELECT statements. Union-based attacks can retrieve data from different database tables into a single result.
- Blind SQL injection: Blind SQLi are more difficult to exploit than error or union-based attacks partly because no data is transmitted; you aren’t able to see the result of an attempted exploit (which is why it is commonly referred to as “blind”). Instead, they interact with the database by sending payloads to observe the application’s response.
These payloads are time-based and boolean-based. Time-based blind SQLi attacks look to trigger a time delay while boolean attacks trigger a change in the application’s HTTP response. - Out-of-band SQLi: Out-of-band SQLi is less common than the other types and only works if certain features of the database server are enabled. Out-of-band attacks don’t rely on database queries, error messages, or HTTP responses. Instead, they rely on the server to create DNS or HTTP requests to force the application to send data to a remote endpoint that they control.
Regardless of the type of SQL injection that is exploited, the goal is the same: to gain unauthorized access to applications and exfiltrate any data they deem useful or that can deliver the most impact. Over the years, we have all been victims of one or several data breaches due to a database susceptible to SQL injection.
3 Examples of How Attackers Exploit SQL Injection Vulnerabilities
In the past, SQL injection was very popular. At one point, it was number one on the OWASP Top 10 vulnerabilities for web applications. This was because SQL injection vulnerabilities were found on most applications, and developers didn’t use best practices like sanitization techniques. This resulted in several major data breaches including Heartland Payment Systems, Sony Pictures, and Equifax:
- Heartland Payment Systems: In 2008, attackers found an SQL injection vulnerability in a login page. They then used a malicious SQL code like user ‘OR 1=1 – in the username and password fields. When processed by the database, these queries return as true, resulting in access being granted and their stealing sensitive user data like social security numbers and other information to create their own credit cards.
- Sony Pictures: A hacking group known as LulzSec broke into Sony Pictures’ website and dumped databases holding unencrypted personal information of over 1 million people. The group claimed they could’ve “taken every last bit of information” if they wanted to. Depending on where the payload was executed on the website, the hacker group probably submitted an input like ‘ UNION SELECT username, password FROM users– to steal user data. This command retrieves the contents of a database table called users and two columns called username and password.
- Equifax: In May of 2017, malicious actors found a vulnerability in an application owned by Equifax that allowed them to execute commands remotely. They then used this exploit to send crafted SQL commands to the server and access the personal data of nearly 150 million people, making it one of the largest data breaches in history.
SQL injection can be devastating to organizations. However, by being proactive and finding the vulnerabilities before the bad guys do, you can prevent this from happening.
Common Signs That Your Website Is Vulnerable to SQL Injection
When looking for SQL injection vulnerabilities, you can leverage several tools and techniques, including vulnerability scanners. You can also conduct assessments like penetration tests or perform code reviews. Although these tools require skilled professionals, there are a few other things you can check for.
Common signs that your website might be vulnerable include:
- Error messages containing database information: When entering specific characters such as a single quote or tick ( ‘ ) in forms or search bars, the application displays error messages that include SQL database information like the type or version of SQL, column and table information, or parts of the SQL query.
- Unexpected behavior: Typing certain characters into the input fields leads to the application returning unexpected results like displaying large amounts of data, or causing the website to crash.
- Unusually large number of database queries: When monitoring your database activity, you might notice a sudden spike in user input or queries or data appearing to be accessed or modified. This may be due to a vulnerability that someone is trying to exploit.
- Data manipulation without authorization: Sensitive data from your database appears modified or accessed without any apparent user action.
Manually testing input fields on websites like search bars and login screens, URL parameters, or even the database directly with simple SQL injection strings —like ” ‘ OR ‘1=’1 ” — and checking for unexpected behavior can be enough to detect an SQLi vulnerability.
3 Tips to Prevent SQL Injection in Web Applications
Over time, web application security has significantly improved. Developers have become more aware of SQL injection vulnerabilities and have implemented various prevention measures. Some of these prevention strategies include input validation, web application firewalls, and parameterized queries:
- Sanitize input: Regularly inspect and monitor all areas of your application that allow user input and interact with the database. Be sure to remove or “sanitize” input by deleting any unsafe characters to prevent the use of malicious code. Create an allowlist to determine valid inputs and reject any suspicious inputs.
- Install a web application firewall: Deploy a web application firewall or “WAF” to detect and block common attacks like SQL injection. WAFs monitor web traffic for any abnormal activity. The firewall can alert IT teams of unusual requests or patterns synonymous with SQLi.
- Use parameterized queries: Parameterized queries or prepared statements use placeholders for parameters instead of values, separating the SQL logic from the data being passed. As a result, the database treats the input as data and not executable code.
Taking these measures and conducting regular security checks and penetration testing can greatly reduce the risk of your applications being exposed to an SQL injection. These prevention approaches have made SQL injection harder to find and exploit, dropping from #1 to #3 on the OWASP Top 10.
For more tips on preventing SQL injection attacks, including a list of open-source tools, check out this article.
Frequently Asked Questions
Here are some frequently asked questions about SQL injection:
- Are all SQL versions vulnerable to SQL injection?
Yes. Although the query syntax may differ, all SQL databases like MySQL, Oracle, PostgreSQL, NoSQL, and others can be vulnerable to SQL injection. - What applications are affected?
Any website or application interacting with a database without the proper protections is open to a SQLi attack. This includes data-driven applications like social media, surveys, search apps, and report-generating applications. - How do you test for SQL injection?
Several tools and scanners can test for all web application vulnerabilities. However, testing can also be done manually by inserting SQL payloads into every application’s entry point. The application’s entry points allow user input like forums, comment sections, and login pages.
For the best results, hire a company specializing in application penetration testing and conducting regular testing on your applications.
Bottom Line: SQL Injection is Old, But Still Dangerous
Although SQL injection attacks are not as common as they were 10, or even 20 years ago, it is still a vulnerability that can do massive damage if found and exploited. Organizations should utilize secure coding techniques and regularly test their applications to prevent SQLi vulnerabilities.
To see a major example of how SQL injection could cause major issues, watch our video on how security researchers used SQLi to bypass TSA checks.
