A dominant percent of websites run on (or their back-end uses) SQL ( Structured Query Language ) database to store website content and management information. On these sites, users input is processed by website application code and stored in SQL database for future access and or presentation. Interaction with SQL database is done via SQL commands called queries.
As an example for user input let’s take a user registration form where it is required to provide login credentials, avatar and other information relevant to the registration process. Next, the website hashes the provided password, as described in 1, and stores all acquired information including newly generated password into the SQL database. Following is a PHP command example which adds new customer to existing customers table:
mysqli_query($con,“INSERT INTO Customers (First_Name, Last_Name, Age, Id, Pass, Email) VALUES (‘Michael’, ‘Fish’,35, b354390b8d81c0a880a42bee9f586fd5, Michael@fish-net.cc)“);Next time when during the login procedure, the user submits his/her username and password and this information is retrieved from the database and compared to the submitted values.
So what is SQL injection attack? SQL injection is, essentially, an insertion of SQL query via the user input data form into the backend database. Successful injection of SQL query may provide access to the valuable information such as a list of stored passwords or credit cards numbers. It may allow to run administrative commands like ‘dump’ or erase database content.
Now let’s say that the data form validation handler contains a security vulnerability and does not validate whether the provided email is truly an email address. An example PHP code looks like this:
mysqli_query($con,“SELECT * From Customers WHERE Email LIKE $email;”);When the user submits a valid email address, $email variable contains Michael@fish-net.cc and such command returns user record previously created by “INSERT INTO” command. However, if for example user inserted “%@gmail.com”, where % is SQL wildcard symbol, this command will select all registered users with Gmail email address. This simple case shows that website behavior may depend on user input and perform not-predictable operations.
Of course, SQL injections today are much more sophisticated, and our intent was just to highlight its principle.
In conclusion, SQL injection is very dangerous attack since in addition to the compromised website you can damage your reputation if user sensitive data is stolen and published on the web. Like it happened with social games developer RockYou, who was attacked back in December 2009 when more than 32 millions of user passwords have been publicly disclosed on the web.
Basic preventive security measures:
- validate and verify every user input
- periodically test your website with SQL injection scanners like http://www.mavitunasecurity.com or www.gamasec.com
- Move your website to NoSQL (https://en.wikipedia.org/wiki/NoSQL) databases like MongoDb (http://www.mongodb.org/) or couchdb (http://couchdb.apache.org/) databases.