By Chris David and Franklin Aguilar
SQL Injection is one of the oldest and most common vulnerabilities for web sites and applications… Is your business vulnerable?
This type of attack can threaten your business, exfiltrate valuable financial / user data, destroy systems and even be used by hackers as a beachhead for more attacks.
Are you hiring a developer for your company’s application, or a web designer to revamp your online presence? Make sure that anyone you hire knows the ins-and-outs of SQL Injection and how to prevent this critical application flaw.
What is SQL Injection (SQLi)?
To truly understand SQLi, we have to go through some background…
SQL Injection is a type of systems attack that we call an injection vulnerability. Injection vulnerabilities become possible when an application or web site does not properly sanitize input.
Input to an application can come from a variety of sources: a web form, a cookie, a script, a query string, a text file, an email, etc. If this input is not properly cleaned up (i.e. sanitized), then the input could allow malicious commands to be “injected” and executed by the application.
What do we mean by “sanitizing” the input?
In short, a developer has to write code that examines all input to an application and removes any potentially dangerous commands. An arduous process to be sure.
Ok, what’s specific about SQL?
In the case of SQL Injection, the type of command being injected into the application through an unsanitized input is a scripting language called SQL (Structured Query Language). Most applications use databases to store information, and SQL is the language that developers use to interact with the databases. If a developer fails to check for SQL commands in any application inputs, then the application is vulnerable!
Is there any good news?
Yes, the good news is that as one of the oldest application vulnerabilities, qualified developers will know about the possibility of SQLi. String formatting and placeholders are an easy way to mitigate. And many application frameworks (.NET, Ruby, PHP) include built-in tools to check for and eliminate the possibility of injection attacks.
Why do injection and SQLi attacks keep happening?
SQL Injection attacks go back to the mid 1990s. Simply put, applications are written by developers. Developers are people, and people make mistakes. Malicious hackers find mistakes and turn them into attacks.
Also consider that applications get more complex as time goes on, and as something gets more complex, the easier it breaks.
You can have the best product, an amazing marketing team and sales through the roof, but if hackers stole your data and destroyed your systems, it could all be for naught.
Cybersecurity is often one of the last things that people want to think about. But this is why it’s more important than ever to consider cybersecurity as one of the key pillars of your business. Make sure that your web developer knows about SQL Injection and that your applications are hardened against injection attacks!