SQL Injection (SQLi) vulnerabilities put the security of web pages and application databases at risk. This article covers SQL injection vulnerabilities, how to prevent them, and resources to mitigate them.

On this page: 

• What is SQL injection?
• What causes a(n) SQL injection vulnerability?
• What can I do to fix it?
• Resources

 

What is SQL injection?

SQL injection is a form of attack in which malicious SQL statements are inserted into a web page form field and executed. Web pages/applications vulnerable to SQL injection essentially place their entire databases at risk.

Consider this (fairly common) scenario:

1. An attacker crafts a malicious SQL statement and issues it from a vulnerable input on your website.
2. The attacker manages to receive key information from the database, such as personal or financial information, sensitive user info, and passwords.
3. The attacker also makes changes to the database, making him or herself an administrator of the site, and then does other nefarious things such as (but not limited to) deleting records, installing malware, etc.

It can feel like a waste of time to drop what you’re working on now and spend time fixing old code. But, the benefit is in minimizing the likelihood your site/application will be used to defraud people or otherwise cause harm.

 

What causes a(n) SQL injection vulnerability?

The most common cause is the programmer practice of simply concatenating unsanitized user input with other strings to form the SQL queries issued to the database.

Additionally, outputting detailed database error messages often provides an attacker with clues needed to create an effective SQL injection attack.

 

What can I do to fix it?

• Use prepared statements (also known as parameterized queries) rather than simple string concatenation when building your SQL queries.
• Never trust user input. In other words, all user input should be sanitized at both the client and server so that potentially dangerous characters, text, or code is removed (or rendered benign) through the use of escaping, filtering, and validating. There are libraries to help with this on every platform.
• Avoid outputting verbose error messages, which can provide an attacker with valuable clues as to how best to exploit a(n) SQL injection vulnerability.

The following resources are a great place to gain a deeper understanding of SQL injection as well as the techniques used to mitigate it.

 

Resources

• A guide to SQL injection, by PortSwigger Web Security (includes hands-on labs, which require sign-in)
• SQL CheatSheet, from OWASP
• How to write secure PHP code, by WordFence