SQL injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. An SQL query is a request for some action to be performed on a database. Typically, on a Web form for user authentication, when a user enters their name and password into the text boxes provided for them, those values are inserted into a SELECT query. If the values entered are found as expected, the user is allowed access; if they aren't found, access is denied. However, most Web forms have no mechanisms in place to block input other than names and passwords. Unless such precautions are taken, an attacker can use the input boxes to send their own request to the database, which could allow them to download the entire database or interact with it in other illicit ways.
The risk of SQL injection exploits is on the rise because of automated tools. In the past, the danger was somewhat limited because an exploit had to be carried out manually: an attacker had to actually type their SQL statement into a text box. However, automated SQL injection programs are now available, and as a result, both the likelihood and the potential damage of an exploit has increased enormously. In an interview with Security Wire Perspectives, Caleb Sima, CTO of SPI Dynamics spoke of the potential danger: "This technology being publicly released by some black hat will give script-kiddies the ability to pick up a freeware tool, point it at a Web site and automatically download a database without any knowledge whatsoever. I think that makes things a lot more critical and severe. The automation of SQL injection gives rise to the possibility of a SQL injection worm, which is very possible. In fact, I am surprised this hasn't occurred yet." Sima estimates that about 60% of Web applications that use dynamic content are vulnerable to SQL injection.
According to security experts, the reason that SQL injection and many other exploits, such as cross-site scripting, are possible is that security is not sufficiently emphasized in development. To protect the integrity of Web sites and applications, experts recommend simple precautions during development such as controlling the types and numbers of characters accepted by input boxes.
|Getting started with SQL injections|
|To explore how SQL injections are used in the enterprise, here are some additional resources:|
|Book Excerpt: SQL injection: SQL injection is probably the most common vector used to attack SQL Server. Learn about the basics of it in this excerpt.|
|Secure SQL Server from SQL injection attacks: Did you know that any Web application using dynamic SQL is at risk for a SQL injection attack? Get precise steps to protect against these attacks.|
|SQL injection tools for automated testing: Manual testing for SQL injection requires much effort with little guarantee that you'll find every vulnerability. There is a better way: automated SQL injection testing tools.|