(also Structured Query Language injection, SQLi)
SQL injection definition
SQL injection is a cyberattack that uses malicious SQL code to manipulate a database and access sensitive information.
SQL injection examples
In 2009, three hackers stole 130 million credit card numbers using a SQL injection attack. Targeted companies included 7-Eleven, Hannaford Brothers, and Heartland Payment Systems.
In 2012, a hacker group Team GhostShell stole and published personal data of students, faculty, employees, and alumni from 53 universities using an SQL injection. Targets included Harvard, Princeton, Stanford, Cornell, and Johns Hopkins.
Stopping a SQL injection attack
- Segregate information across different databases
- Program the site to use premade SQL templates with fixed values and a question mark where the keyword would typically appear
- Build input validation into a website’s backend, with a white-list of accepted characters and words