SQL Injection Tutorial

This SQL injection tutorial provides a brief introduction to one of the most common threats to web security for business enterprises and public organizations. The SQL injection tutorial covers four topics:

  • The context of SQL injection attacks
  • The aims of SQL injection attacks
  • How SQL injection works
  • Ways to defend against SQL injection attacks

SQL Injection Tutorial Topic 1: The Context of SQL Injection Attacks

Most modern web applications have the same basic structure and logical flow: a web client (typically a browser) communicates with a web application hosted on a web server, and the web application in turn communicates with one or more back-end databases. The databases store a variety of information relevant to the application, such as username/password combinations and user account data. End users access and modify this information by making entries into webpage forms (for example, login forms or search forms). Based on this user input, the web application sends commands to the databases, most often using Structured Query Language (SQL), the command language of the majority of modern relational databases. The database responds, and the web application then responds to the user.

SQL Injection Tutorial Topic 2: The Aims of SQL Injection Attacks

In a SQL injection attack, a hacker well-versed in SQL syntax submits bogus entries in webpage forms with the aim of gaining more direct and far-reaching access to the back-end database than is intended by the web application. Most often such attacks attempt to retrieve valuable information such as username/password combinations or sensitive financial or corporate data. In some cases a SQL injection attack may also try to modify data (such as an account balance) or to maliciously delete data. In these ways SQL injection attacks may result in major breaches of cyber security.

SQL Injection Tutorial Topic 3: How SQL Injection Works

SQL injection works by a hacker entering specialized SQL terms and characters in a web form entry field in order to dupe the application into sending different commands to the database than the application normally would. As a simplified illustration (derived from an example on the Open Web Application Security Project [OWASP] website), consider a case where application code is written with the intent to execute the following command to a database:

---------------

SELECT * FROM accounts

WHERE owner =

AND accountname = ;

---------------

This command intends to retrieve account information from the "accounts" table, but only in the limited instance where the specified owner name and account name are both found in the same entry in the table. The specific owner name and account name to check for would be supplied by an end user, through a web page form.

An attacker might enter in the web form a bogus owner name and an account name of "‘name' OR ‘x'='x'". If the application lacks adequate defenses against injection, the single-quote characters and use of the OR term have the effect of creating this modified SQL command to send to the database:

---------------

SELECT * FROM accounts

WHERE owner = ‘smith'

AND accountname = ‘name' OR ‘x' = ‘x';

---------------

The usually restrictive WHERE clause is now satisfied for every record in the "accounts" table, because while the owner/accountname combination of "smith/name" may not be found, the OR part of the clause—that ‘x'='x'—is always true. Thus every record from the table may be returned to the application and on to the end user.

SQL Injection Tutorial Topic 4: Ways to Defend Against SQL Injection Attacks

This SQL injection tutorial has briefly introduced the aims and basic technique of SQL injection attacks. For web application owners, the key question is how to thwart such attacks. There are two general approaches:

  • Careful application coding. A variety of programming best practices can sharply reduce a web application's vulnerability to SQL injection. These include the use of either parameterized queries or stored procedures; or the use of character blacklists or whitelists to filter and sanitize user input into web forms. Relying entirely on good programming is rarely an entirely adequate approach to ensuring web service security and data protection, however. This is partly because most web applications are the work of many different programmers over long periods of time; and partly because it can be prohibitively costly to retrofit existing web applications that have known vulnerabilities.
  • Placing a web application firewall (WAF) in front of the web application, to inspect and filter incoming HTTP traffic. A WAF can be an effective defense against SQL injection, but conventional on-premise WAFs can too easily become a performance bottleneck.

Akamai's cloud-based web security solution integrates a WAF into the global Akamai web content delivery network. This solution provides a widely distributed, forward-positioned defense against SQL injection attacks, without diminishing your web application performance. The solution also defends against the increasingly popular tactic of launching a denial of service attack against a web property while simultaneously attacking it through SQL injection.

Learn more about Akamai's highly scalable cloud-based Cloud Security Solutions.