What is a SQL
injection attack,
and how can you
prevent it?

SQL injection attacks manipulate and compromise the communication channel between web application databases and the Structured Query Language (SQL) programming language database. Web applications and websites store data in SQL databases.  When the website or application needs to retrieve data from its database, SQL either processes the information or displays it to the user.  An attacker could gain access to the SQL database server and all its associated data by uncovering vulnerable user inputs within the web page or application. For example, in a banking application, an attacker could use SQL injection to transfer money to their account or alter account balances. 

As SQL injection attacks are inexpensive and easy to execute, they remain an easy avenue for cybercriminals to steal information from vulnerable database. Many well-publicized SQL injection attacks are data confidentiality breaches, resulting in significant financial losses. SQL injection attacks can be crippling, whether it's a result of downtime, attack recovery costs, regulatory penalties or negative publicity. 

Although it was first discovered in 1998 and is easy to defend against, SQL injection attacks are not going away.  SQL injection is still a threat to web application security today.

In an SQL injection attack, attackers gain access to the front end of your website or application by inserting arbitrary SQL code into the database query, which gives them control of your database. This means the attackers purposely and maliciously input unexpected data into the address bar, ID or password. The unexpected input confuses the database and forces it to carry out abnormal actions—typically, actions that benefit the attacker.

For example, suppose your web application fails to detect this unexpected input. When this vulnerability isn't patched or detected, attackers can inject input (data) directly into the database—thus gaining the ability to modify, copy or delete data directly within the database.

For organizations, protecting against SQL injection attacks is important.  If you're developing your own websites, services or applications, preventing SQL injection should begin at the application development stage.

When you develop applications, you should emphasize the following:

• Validation of user inputs
• Sanitation of data inputs
• Back-end hardening and tightening of the operating system and database operations, users and privileges

These mitigating strategies can help prevent SQL injection attacks from the onset if applied correctly. If you're simply running a WordPress site, however, best practices include:

• Installing a security plug-in
• Only using trusted plug-ins and themes
• Regularly updating your website

The first step in staying safe is to embrace a mindset shift about security that assumes any input to your web application database is untrustworthy and should be treated accordingly. Assume that a breach is a “when”—not an “if”—and that these breaches can be debilitating by limiting account privileges.

With that in mind, organizations should consider the following best practices:

• Conduct vulnerability assessments and penetration tests to keep tabs on your security posture.
• Apply principles of least privilege and separation of duties in related database users, processes and applications—which means no user or service should have any more access or rights than required to run.
• Use a web application firewall (WAF) as well as host- and network-based intrusion detection systems for adherence to alert and monitoring policies.

For in-house or third-party developers, SQL libraries should perform input sanitization, which scrubs any user data to remove anything potentially malicious. An excellent resource for discovering and testing your SQL injection vulnerabilities is Open Web Application Security Project's free tool.