Cisco CloudCenter: Get the Hybrid IT Advantage

SQL Injection

Definition - What does SQL Injection mean?

An SQL injection is a computer attack in which malicious code is embedded in a poorly-designed application and then passed to the backend database. The malicious data then produces database query results or actions that should never have been executed.

Techopedia explains SQL Injection

Let's go through an example of a SQL injection attack:

An application running a bank’s operations contains menus that may be used to search for customer details using data points such as the customer’s Social Security number. In the background the application calls an SQL query that runs in the database by passing the entered search values as follows:

SELECT client_name, telephone, address, date_of_birth WHERE social_sec_no=23425

In this sample script, the user enters the 23425 value in the application menu window, requesting the user to enter the Social Security number. Then, using the value provided by the user, an SQL query runs in the database.

A user with SQL knowledge may understand the application and, instead of entering a single value when asked for the Social Security number, enter the string “23425 or 1=1,” which is passed to the database as follows:

SELECT client_name, telephone, address, date_of_birth WHERE social_sec_no=23425 or 1=1

The WHERE clause is important because it introduces vulnerability. In a database, the condition 1=1 is always true, and because the query has been specified to return client Social Security number details (23425) or WHERE 1=1, the query will return all rows in the table, which was not the original intention.

The above SQL injection attack example is simple, but it shows how exploiting a vulnerability to trick the application into running a backend database query or command.

SQL injection attacks can be mitigated by ensuring proper application design, especially in modules that require user input to run database queries or commands. In the above example, the application could be changed so that it accepts one numeric value only.

Share this:

Connect with us

Email Newsletter

Join thousands of others with our weekly newsletter

The 4th Era of IT Infrastructure: Superconverged Systems
The 4th Era of IT Infrastructure: Superconverged Systems:
Learn the benefits and limitations of the 3 generations of IT infrastructure – siloed, converged and hyperconverged – and discover how the 4th...
Approaches and Benefits of Network Virtualization
Approaches and Benefits of Network Virtualization:
Businesses today aspire to achieve a software-defined datacenter (SDDC) to enhance business agility and reduce operational complexity. However, the...
Free E-Book: Public Cloud Guide
Free E-Book: Public Cloud Guide:
This white paper is for leaders of Operations, Engineering, or Infrastructure teams who are creating or executing an IT roadmap.
Free Tool: Virtual Health Monitor
Free Tool: Virtual Health Monitor:
Virtual Health Monitor is a free virtualization monitoring and reporting tool for VMware, Hyper-V, RHEV, and XenServer environments.
Free 30 Day Trial – Turbonomic
Free 30 Day Trial – Turbonomic:
Turbonomic delivers an autonomic platform where virtual and cloud environments self-manage in real-time to assure application performance.