 - SQL injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. An SQL query is a request for some action to be performed on a database. Typically, on a Web form for user authentication, when a user enters their name and password into the text boxes provided for them, those values are inserted into a SELECT query. If the values entered are found as expected, the user is allowed access; if they aren't found, access is denied. However, most Web forms have no mechanisms in place to block input other than names and passwords. Unless such precautions are taken, an attacker can use the input boxes to send their own request to the database, which could allow them to download the entire database or interact with it in other illicit ways.
The risk of SQL injection exploits is on the rise because of automated tools. In the past, the danger was somewhat limited because an exploit had to be carried out manually: an attacker had to actually type their SQL statement into a text box. However, automated SQL injection programs are now available, and as a result, both the likelihood and the potential damage of an exploit has increased enormously. In an interview with Security Wire Perspectives, Caleb Sima, CTO of SPI Dynamics spoke of the potential danger: "This technology being publicly released by some black hat will give script-kiddies the ability to pick up a freeware tool, point it at a Web site and automatically download a database without any knowledge whatsoever. I think that makes things a lot more critical and severe. The automation of SQL injection gives rise to the possibility of a SQL injection worm, which is very possible. In fact, I am surprised this hasn't occurred yet." Sima estimates that about 60% of Web applications that use dynamic content are vulnerable to SQL injection.
According to security experts, the reason that SQL injection and many other exploits, such as cross-site scripting, are possible is that security is not sufficiently emphasized in development. To protect the integrity of Web sites and applications, experts recommend simple precautions during development such as controlling the types and numbers of characters accepted by input boxes.
 |
Getting started with SQL injections |
| To explore how SQL injections are used in the enterprise, here are some additional resources: |
| Book Excerpt: SQL injection: SQL injection is probably the most common vector used to attack SQL Server. Learn about the basics of it in this excerpt. |
| Secure SQL Server from SQL injection attacks: Did you know that any Web application using dynamic SQL is at risk for a SQL injection attack? Get precise steps to protect against these attacks. |
| SQL injection tools for automated testing: Manual testing for SQL injection requires much effort with little guarantee that you'll find every vulnerability. There is a better way: automated SQL injection testing tools. |
|
Learn more about Building security into the SDLC (Software development life cycle) |
| Web application security -- How to prevent attacks: The battle against hackers is a difficult one. This guide introduces you to popular Web application attacks and provides tips, techniques and advice for keeping the bad guys out. |
| PCI DSS compliance: The basics: PCI DSS requires merchants to employ basic application security techniques in order to be in compliance. Here is an overview of PCI DSS and requirement 6.6. |
| PCI DSS compliance: Code review: Code review is a broad concept and those looking at this option for compliance will find plenty of information on the types of code review in this section of the guide. |
| PCI DSS compliance: Web application firewalls (WAFs): Web application firewalls (WAFs) are one option for those seeking compliance with requirement 6.6 of the PCI DSS. Here you'll find expert advice on WAFs. |
| Web application security and the PCI DSS: Software security should be integrated into the software development lifecycle. The PCI DSS can't account for all this, so here is advice to get you started on a holistic approach. |
| LAST UPDATED: |
21 Jan 2010
|
 |
Do you have something to add to this definition? Let us know.
Send your comments to techterms@whatis.com
|
|
More resources from around the web:
|
|
Show me everything on 
