This SQL injection tutorial provides a brief introduction to one of the most common threats to web security for business enterprises and public organizations. The SQL injection tutorial covers four topics:
Most modern web applications have the same basic structure and logical flow: a web client (typically a browser) communicates with a web application hosted on a web server, and the web application in turn communicates with one or more back-end databases. The databases store a variety of information relevant to the application, such as username/password combinations and user account data. End users access and modify this information by making entries into webpage forms (for example, login forms or search forms). Based on this user input, the web application sends commands to the databases, most often using Structured Query Language (SQL), the command language of the majority of modern relational databases. The database responds, and the web application then responds to the user.
In a SQL injection attack, a hacker well-versed in SQL syntax submits bogus entries in webpage forms with the aim of gaining more direct and far-reaching access to the back-end database than is intended by the web application. Most often such attacks attempt to retrieve valuable information such as username/password combinations or sensitive financial or corporate data. In some cases a SQL injection attack may also try to modify data (such as an account balance) or to maliciously delete data. In these ways SQL injection attacks may result in major breaches of cyber security.
SQL injection works by a hacker entering specialized SQL terms and characters in a web form entry field in order to dupe the application into sending different commands to the database than the application normally would. As a simplified illustration (derived from an example on the Open Web Application Security Project [OWASP] website), consider a case where application code is written with the intent to execute the following command to a database:
SELECT * FROM accounts
WHERE owner =
AND accountname = ;
This command intends to retrieve account information from the "accounts" table, but only in the limited instance where the specified owner name and account name are both found in the same entry in the table. The specific owner name and account name to check for would be supplied by an end user, through a web page form.
An attacker might enter in the web form a bogus owner name and an account name of "‘name' OR ‘x'='x'". If the application lacks adequate defenses against injection, the single-quote characters and use of the OR term have the effect of creating this modified SQL command to send to the database:
SELECT * FROM accounts
WHERE owner = ‘smith'
AND accountname = ‘name' OR ‘x' = ‘x';
The usually restrictive WHERE clause is now satisfied for every record in the "accounts" table, because while the owner/accountname combination of "smith/name" may not be found, the OR part of the clause—that ‘x'='x'—is always true. Thus every record from the table may be returned to the application and on to the end user.
This SQL injection tutorial has briefly introduced the aims and basic technique of SQL injection attacks. For web application owners, the key question is how to thwart such attacks. There are two general approaches:
Akamai's cloud-based web security solution integrates a WAF into the global Akamai web content delivery network. This solution provides a widely distributed, forward-positioned defense against SQL injection attacks, without diminishing your web application performance. The solution also defends against the increasingly popular tactic of launching a denial of service attack against a web property while simultaneously attacking it through SQL injection.