What is SQL injection?
SQL injection (SQLi) is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.
A SQL injection attack occurs when a web application does not validate input values from i.e. an input parameter or a web form before passing them to SQL queries that will be executed on a database server.
An example:
User access
Simple ColdFusion query >> http://www.domain.com/file.cfm?CustID=100 >> resulting SQL statements >> SELECT
FROM Customers WHERE CustID=100
Hacker access
Inject malicious codes >> http://www.domain.com/file.cfm?CustID=100;DELETE Customers >> resulting SQL statement >> SELECT
FROM Customers WHERE CustID=100;DELETE Customers >> Deletes all data from the customers table
SQL injection by the numbers
- SQL injection accounts for almost 26% of all web application attacks. Akamai’s state of the Internet report.
- The average cost for a minor SQL injection attack exceeds $196,000. Global Threat Intelligence Report.
- On average , it will take nearly 140 days to discover a SQL injection breach. The SQL Injection Threat Study by DB Networks.
SQL injection vulnerability rates for web applications written in…
- Java 21%
- .NET 29%
- PHP 56%
- ColdFusion 62%
- Microsoft ASP 64%
Protecting against SQL injection attacks
Separate code from data
- First: Code. Create query template.
- Then: Add data. Fill in the parameters using the API.
- Last: Submit the query.
Validate input data
- Data integrity: Data has not been tampered with.
- Data validation: Limit check, data type, format and character check.
- Business rules: Make sure your data follows your business rules.
- Do not perform black-list validation.
- Always use white-list validation
Assign least privileged access
Reduce the risk of a potential SQLi attack by minimizing the access privileges to your database.
SQL Compliance Manager and SQL Secure help protect against SQL injection by identifying and alerting abnormal activities and providing real-time auditing of all login activity to SQL Server.