What is a SQL Injection Attack?

Users of computer systems and visitors to websites are familiar with authenticating their identity, or proving, “they are who they say they are,” by entering their Username and Password.

What actually happens when you enter text into the Username and Password fields of a login screen is that the text is usually inserted or encapsulated into a SQL command. This command checks the data you’ve entered against the information stored in the database, such as user names and their respective passwords. If your input matches what is stored in the database then you are granted access to the system. If not, you get an error message and a chance to re-enter the correct information or you are refused entirely.

Databases are at the core of a modern organization’s computer systems because they allow you to control your business processes. They store data needed to deliver specific content to visitors, customers, suppliers, and employees. User credentials, financials, payment information, and company statistics may all reside within a database that can be accessed by legitimate users and unfortunately attackers as well. SQL or Structured Query Language is the computer language that allows you to store, manipulate, and retrieve data stored in the database

SQL injection is the exploitation of a website or computer system that is caused by the processing of invalid data that is entered into the form fields by a malicious user. SQL injection can be used by an attacker to introduce (or “inject”) code into a computer program to change the course of execution in order to access and manipulate the database behind the site, system or application.

SQL Injection vulnerabilities arise because the fields available for user input allow SQL statements to pass through to the database directly in order to process data and user requests. If the input is not filtered properly, web applications may allow SQL commands that enable hackers to view unauthorized information from the database or even wipe it out.

The attack takes advantage of improper coding of web-based applications and computer networks that incorporates features that deliver dynamic content such as:

  • Login pages
  • Customer support pages
  • Product request forms
  • Feedback forms
  • Search pages
  • Shopping carts

When the legitimate user submits his details, a SQL query is generated from these details and submitted to the database for verification. Using SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the form barrier and seeing what lies behind it.

Many times all an attacker needs to perform a SQL Injection hacking attack is a web browser, knowledge of SQL queries, and creativity to guess important table and field names.

A simple illustration of a SQL injection attack goes like this; an attacker attempts compromise a system that they have no access to by entering code instead of their credentials. So when the attacker is prompted to enter their Username and Password he enters codes such as ‘x’=’x’. And depending how the system’s software is written, this command will be True because x always equal x, so the Username and Password combination will always be True or match!

Once an attacker realizes that a system is vulnerable to SQL Injection, he is able to inject SQL Commands through the input field. This allows the attacker to execute any SQL command on the database, including modifying, copying, and deleting data.