Could a hacker ransack your website’s database and seize administrative control? If your site or application is poorly secured, it could be vulnerable to an SQL injection attack. What is SQL injection, is your site at risk, and how can it be prevented?
SQL is a coding language. It’s used by Database Management Systems (DBMS) to communicate information requests from a user to a database and its data-tables.
When you type a keyword into the search bar on a website, for example, an SQL request is generated behind the scenes. This request contains whatever keyword the user entered, as well as commands for the DBMS. This is then sent to the database, where the DBMS will decipher it, extract the requested information, and send it back to the user.
Here’s the process:
SQL is a simple language that relies on recognizable English words for its coding commands. If a site hasn’t been properly secured, a hacker could “inject” their own SQL coding commands to steal data.
This involves tricking a website into creating SQL strings that contain the hacker’s commands. When the string is sent to the database and interpreted, the DBMS will read the “injected” commands as actionable instructions, and then carry them out. In this way, a hacker can compel the DBMS to return information that the site’s owner might otherwise have kept private.
For example, imagine a scenario in which someone wants to steal customer usernames and passwords from an online store. If the site’s security protocols are not up to date, the hacker could go to the site’s “search” function and type in a string of coding commands, which would then be automatically stitched into the resulting SQL string.
A great example of this would be the UNION command, which can be used to add additional “sub-queries” to the user's main query. Those sub-queries can force a database to return additional information along with the legitimate search results.
Using this method, a hacker could access the table that contains customer emails, usernames or passwords. From an initial SQL injection, it’s a short step to cracking into user accounts, stealing sensitive information, and even seizing administrative control of the site itself.
If the site hasn’t been properly protected, there’s really no limit to the amount of data a hacker could access with SQL injections. Almost anything located in the database is fair game.
Using simple coding commands, they can force the database to return a full list of all the tables it contains. That gives them a roadmap to every subsection of the database so they can request any information they want.
The more centralized your data is, the worse an SQL attack can be. In the example of the online store, the hack is only really damaging because sensitive user data is kept in the same database as the product tables. Segregating information across different databases keeps the potential damage to a minimum.
One of the best strategies to prevent SQL injection is the implementation of Prepared Statements. A high-risk site will generate a fresh SQL query every time someone sends a request, giving hackers the opportunity to inject their own code.
Avoid this by programming your site to use premade SQL templates, with fixed values and a question mark where the keyword would normally appear. Your DBMS can be coded to read that question mark as whatever data is in the search bar, but the query itself is created in advance. With a prepared statement, a hacker will be unable to add any new commands to the string.
Input validation should be built into a website’s backend, with a white-list of accepted characters and words. The white-list can be updated whenever new searchable items are added to the database. If a hacker “searches” for a malicious coding command, the system will check the input data against its white-list. When it fails to find a valid input match, it won’t run the code, and will just return a “no results” message.
For more cybersecurity insights, subscribe to our monthly blog newsletter below!