In this article we will look at what is SQL injection, how to perform SQL attack and how to protect against SQL injection attacks.
What is SQL Injection Attack
SQL injection is a code injection technique that exploits a security vulnerability present at the database layer of an application. The vulnerability is present due to form input being filtered incorrectly or if the form input is not strongly typed. SQL injection attacks are also known as SQL insertion attacks.
Attackers generally target database servers which process SQL input. The prime goal of an SQL injection access to obtain unauthorized access to information stored in a database like usernames, passwords, credit card details and other important sensitive information which is not generally
accessible to the public.
How to Perform SQL Injection Attack
In SQL injection attack, the attacker inserts or places malicious SQL code into a HTML form field. This arbitrary SQL code may allow the attacker to obtain access to the data in the database. The general steps involved in a SQL injection attack are:
- Search for pages that contains a HTML form like login page, search page, registration page etc.
- Identify the suitable form fields like text box, combo box, etc.
- Inserted crafted code (like a single quote) into the selected form field and check whether the database is parsing SQL syntax or not.
- If the database server is parsing SQL input, then use other SQL commands to retrieve or insert data in the database
Blind SQL injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. Several tools are available to automate these attacks once the location of the vulnerability and the target information have been established.
In summary, using SQL injection, attackers can:
- Obtain basic information like directory listing or pinging an IP address
- Gain access to the database by obtaining username and password
- Add new data to the database
- Modify current data in the database
SQL injections are possible due to poor website administration and coding. The following steps can be used for preventing SQL injection attacks:
- Input validation: This involves replacing single quote with two single quotes or a double quote, sanitizing the user input by removing unnecessary special characters, detecting and removing unnecessary numeric data and making all the input fields as short as possible to
limit the length of the user input. - Modify error reports: SQL errors must not be displayed to the users. Website administrator should change the default settings for displaying detailed SQL errors including the database software name, version, and stack trace. Instead of a detailed message they can display a
simple message which doesn’t provide any useful information. - Other preventions:
- Default system accounts for SQL server should never be used
- Isolate database server and web server
- If there are any unused additional stored procedures in the database, they should be removed
Suryateja Pericherla, at present is a Research Scholar (full-time Ph.D.) in the Dept. of Computer Science & Systems Engineering at Andhra University, Visakhapatnam. Previously worked as an Associate Professor in the Dept. of CSE at Vishnu Institute of Technology, India.
He has 11+ years of teaching experience and is an individual researcher whose research interests are Cloud Computing, Internet of Things, Computer Security, Network Security and Blockchain.
He is a member of professional societies like IEEE, ACM, CSI and ISCA. He published several research papers which are indexed by SCIE, WoS, Scopus, Springer and others.
Leave a Reply