Website security is an arms race. Malicious hackers modify their techniques continuously to keep infecting benign and legitimate websites with web-malware. One of the techniques that has been used to compromise millions of websites is called SQL Injection. SQL injection attacks have been increasingly making headlines in the past few months. This depicts the sorry state of security practices poorly implemented across millions of websites. In this article we will delve into a lot of detail about SQL injection, how to identify vulnerabilities, how to stop them from being exploited and more.

What is SQL

SQL is short for Structured Query Language. SQL is a computer programming language that is used to interact with software called databases. These databases are containers of information. The information can range from House addresses, usernames and passwords to social security numbers, entire movies and what not.

SQL is well described in its Wikipedia entry here.

Why do we need SQL

Programmers and software need to use SQL in order to interact with databases. SQL is a standardized way to ask questions and retrieve results from a database. SQL also allows for questions (also called queries) asked from a database to be optimized in a manner that speeds up the processing of the query and provides the answer faster. Thereby SQL is a very important tool to interact with data storage systems, like databases, if you would like to store and/or retrieve information easily, reliably and quickly.

What functionality do websites acquire by using SQL

The usage of SQL allows a website to become dynamic,in a sense. A website no longer needs to be a collection of static webpages with which a visitor cannot interact. SQL allows webpages to store user information such as usernames, passwords, addresses, credit card numbers and much more. The visitor does not only read information on the webpages, but can also interact with the website by storing information about themselves. This information stored in databases can be retrieved by using SQL and can be used to provide a more customized experience for the website visitors. A good example of the functionality a website can gain by the use of SQL and databases, is allowing users to create a login account on the website, just like Google.

What is a code injection attack

A code injection attack is basically an unwarranted effort to push in malicious computer code into a website, by exploiting weaknesses in the software that is powering the website or by other means of exploit, such as compromised passwords (FTP) etc. This kind of an attack usually manifests itself when a malicious hacker identifies a particular weakness in the way a website handles user input and exploits that weakness to push in malicious computer code, in order to infect the web pages on the website. This allows the malicious hacker to (1) steal information from the compromised website (2) infect visitors visiting the compromised website and more.

What kind of vulnerabilities let SQL Injection happen

There are many reasons why an SQL Injection attack becomes successful. One of the primary reasons is people who develop websites often forget that they should never trust user input. Forgetting this rule of thumb has severe consequences.

SQL injection attacks primarily succeed because the code powering forms on websites, a form is any area on a website that accepts user input like a username and password box, use the data provided by visitors directly to ask SQL formatted questions to a database. This is dangerous. Malicious hackers can exploit this fact and inject malicious input, that is completely unexpected by the computer code powering the website, and forcibly create a malevolent SQL query that will compel the database to give up all valuable information.

An example of SQL Injection

There are many examples of SQL Injection. Consider the relatively recent spate of attacks on millions of websites that led to the injection of the following code inside their webpages:

[code]

<script src="hxxp://lilupophilupop.com/

[/code]

How to detect if your site is vulnerable to SQL injection

There are many ways to check if your website is vulnerable to SQL Injection or not.

1. Find out if any of the code that is powering your website takes user input directly and tries to make an SQL query with it. If yes, you should modify this behavior immediately.
2. Find out if the software that powers your website is out of date or not. If it is, apply all recommended patches and/or upgrade to the latest version of the software.
3. Find out if the third party plugins that your website employs, such as computer code to dynamically resize webpages and what not, are not opening up SQL injection vulnerabilities.
4. Conduct a vulnerability assessment scan on your website to find out if there are any SQL Injection holes that can be identified. If you do find some, you should fix them as soon as possible.

How to protect your site from SQL Injection

You can protect your website from SQL Injection attacks by taking the following precautions:

1. Make sure the computer code powering your website does not trust user input blindly. You need to sanitize user input and never use this input directly to form SQL statements and query a database.
2. Make sure all CMS software like Wordpress and third party plugins are updated to the latest version and are patched.
3. Make sure you analyze SQL injection vulnerabilities on your website using vulnerability analysis scans.
4. Use a WAF and a Firewall to prevent malicious access to the website.

Conclusion

SQL injection is a popular vector for malicious hackers to exploit and infect websites. We have seen what SQL injection is, how it is used by hackers and how to protect your website. If you would like to protect your website and your business reputation, consider our StopTheHacker service.