Even today in 2021, SQL injection attacks remain one of the most common cybersecurity attack vectors, being a major cause for many data breaches all around the world.
SQL injection attacks are popular for their reasons: they are relatively easy to execute with high potential rewards.
SQL injection attacks are commonly performed against databases and a successful SQL injection attack could allow the attacker to gain unauthorized access to the database’s sensitive information so they can delete or modify the data or use the information to launch further malicious purposes.
Even just one successful SQL injection attack against your business could lead not only to financial and legal repercussions but also potentially long-term and even permanent reputational damage.
In this guide, we will discuss all you need to know about an SQL injection attack and how to defend against it.
What Is SQL Injection?
SQL injection is actually one of, if not the oldest type of cyberattacks available, with the first recorded instance of SQL injection happening back in 1998.
To really understand the concept of SQL injection, however, we have to first understand the term ‘SQL’.
SQL stands for Structured Query Language, which is one of the oldest programming languages, being developed in the 1970s.
However, until today SQL is still the standard programming language used for storing, modifying, and retrieving data in databases.
The widespread usage of SQL across databases is part of why SQL injection is so popular, due to the fact that valuable data is often stored in these databases.
With that being said, SQL injection is a technique performed by cybercriminals to insert (inject) SQL queries into a database, which is typically done by inserting SQL statements into areas on the website that accept inputs (i.e. form fields).
The injected SQL query will then be processed by the underlying database, allowing the database to perform unintended actions, for example giving unauthorized entry to the attacker.
For example, an attacker can perform an SQL injection attack on a vulnerable field asking for a name.
Instead of providing a id on this field, the attacker will insert an SQL statement that the database will unknowingly run.
Examples Of SQL Injection Attacks
Although attackers can launch SQL injection attacks in many different ways with various different techniques, below are examples of the most common SQL injection techniques and how they work:
SQL injection based on batched statements
Most modern databases today batched SQL statements, and so they may be vulnerable to this type of SQL attack.
A ‘batched statement’, as the name suggests, is a group of two (or more) SQL statements, separated by semicolons, so the attacker can use a batched SQL statement like:
SELECT * FROM s WHERE Id = 105; DROP TABLE CardNumbers;
This statement will effectively delete the table CardNumbers from records.
SQL injection based on the logic: 1=1 is always true
In this type of SQL injection, the attacker takes advantage of a field that simply won’t prevent a from entering a “wrong” input, so the can enter a cunning input to fool the database, for example:
SELECT * FROM s WHERE Id = 105 OR 1=1;
This statement will provide the attacker access to all records in the s table since 1=1 will always return a TRUE value.
SQL injection based on the logic “=” is always true
In this example of SQL injection attack, the attacker will input ” or “”=” into the name or fields, for example with this statement:
SELECT * FROM s WHERE Name =”” or “”=”” AND =”” or “”=””
Since the SQL statement above is always TRUE, it will return all rows from the s table.
How To Defend Against SQL Injection Attacks
It’s crucial to understand that SQL injection attacks are only possible when the SQL database has vulnerabilities/flaws, commonly because the software developer allows -supplied inputs in dynamic database queries.
In general, we can eliminate these SQL injection vulnerabilities by:
1. Not using dynamic SQL queries
2. Only allow inputs when they are absolutely necessary, and even then, prevent -supplied inputs which contain malicious SQL statement
So, in cases where dynamic SQL queries and -supplied inputs are absolutely needed, we should prevent SQL injection attacks by ensuring attackers can inject SQL statements via these -supplied inputs, which can be done in several different ways:
1. Using Prepared Statements With Bind Variables
For example by using PreparedStatement()with bind variables (also known as parameterized queries) on Java EE language or PDO on PHP.
Bind variables force the coder to first define all the SQL queries and then in each parameter to the query later, which will allow the database to effectively differentiate between code and information/data, preventing SQL injection attacks from ever happening.
2. Stored Procedures
When implemented correctly, stored procedure constructs will produce the same effect as the use of bind variables/parameterized queries. We can do so, for example, by using CallableStatement in Java.
It’s crucial to ensure that the stored procedure does not include any unsafe dynamic SQL queries (which is not common but possible).
When the stored procedure does include dynamic SQL generation, input validation or escaping (more on them later) should be performed.
3. Input Validation
Using allowlist/whitelist to filter -supplied inputs is also effective in preventing SQL injection attacks.
For example, you can limit the allowed characters to the input fields so perpetrators can’t insert any SQL queries on these input fields.
However, while avoiding dynamic SQL generation and input validation should always be considered best practices in preventing SQL injection, they are not perfect.
In practice, it’s often not feasible to validate all inputs, and there’s always the potential of false positives.
This is why a SQL injection prevention solution like DataDome is commonly employed to protect the system from SQL injections, as well as other cybersecurity threats.
Preventing SQL Injection With DataDome
DataDome offers a comprehensive SQL injection protection solution with AI-powered bot protection technology.
Machine learning allows DataDome to detect the presence of SQL vulnerability scanning bots, as well as automated SQL injection attempts in less than 2 milliseconds.
DataDome deploys in minutes on any web infrastructure without needing any modifications to your application’s architecture.
Once set up, it runs on autopilot to protect your whole system not only from SQL injection attempts and vulnerability scanning but from various other bot-driven cybersecurity threats.
