In the world of website vulnerabilities, SQL Injection is one of the oldest and most common. Is your business vulnerable?
By Chris David and Franklin Aguilar
This type of attack can threaten your business, exfiltrate valuable financial info, compromise sensitive data and destroy your systems. Hackers can even use SQL Injection to create a beachhead for additional attacks.
Are you hiring a developer for your company’s application, or a web designer to revamp your online presence?
Make sure anyone you hire knows the ins-and-outs of SQL Injection and how to prevent this critical application flaw.
What is SQL Injection (SQLi)?
SQL Injection is a type of systems attack that we call an injection vulnerability.
Injection vulnerabilities become possible when an application or website does not properly sanitize input.
Input to an application can come from a variety of sources: a web form, a cookie, a script, a query string, a text file, an email, etc. If this input is not properly cleaned up (i.e. sanitized), then the input could allow malicious commands to be “injected” and executed by the application.
What do we mean by “sanitizing” the input?
In short, a developer has to write code that examines all input to an application and removes any potentially dangerous commands. An arduous process to be sure.
What’s specific about SQL?
Most applications use databases to store information. Structured Query Language (SQL) is the language developers use to interact with the databases.
In the case of SQL Injection, hackers inject SQL commands into websites through unsanitized inputs. If a developer fails to check for SQL commands in any application inputs, then the application is vulnerable!
Is there any good news?
Yes, the good news is that as one of the oldest application vulnerabilities, qualified developers will know about the possibility of SQLi.
String formatting and placeholders are an easy way to mitigate. And many application frameworks (.NET, Ruby, PHP) include built-in tools to check for and eliminate the possibility of injection attacks.
Why do injection and SQLi attacks keep happening?
SQL Injection attacks go back to the mid 1990s. Simply put, applications are written by developers. Developers are people, and people make mistakes.
Malicious hackers find mistakes and turn them into attacks.
Also consider that applications get more complex as time goes on. And as something gets more complex, the easier it breaks.
You can have the best product, a top marketing team and record-breaking sales, but what if hackers steal your data and destroy your systems? All your work could be for naught. Cybersecurity is one of the last things people want to think about. But cybersecurity should be a key pillar of your business.
SQL injection is one of the most common vulnerabilities for websites and applications. If your website doesn’t properly filter user input, then you could be vulnerable. Examine all application inputs. Sanitize and remove potentially dangerous code.
Make sure your web developer knows about SQL Injection and how to harden your applications against injection attacks.