SQL Injection Attack: What is it?

(To Alessandro Rugolo)

How many times have you heard about SQL Injection and promised yourself to understand what it is, without having the time or desire to do so?

If you have three minutes, I'll try to explain it to you, simply.

Let's start from the name: SQLi, SQL Injection or, in full (in one of the possible interpretations), "Structured Query Language Injection" it is a type of attack against the database of a web application which consists in the execution of a malicious query. For completeness I add that SQL is the standard language used to interact with a relational database.

But what does it mean? You say. 

Let's take a practical example. Think of a web page of an online commerce site, where it is generally possible to search and select a product to purchase. Often, you can enter text strings that include symbols or special characters in the search box. Well, some characters may seem harmless to us but this does not apply to the database which interprets them in a completely different way.

What can happen if you are the victim of an SQLi attack?

Unfortunately, anything can happen.

If the controls on possible database queries are incorrect (or as we still see, non-existent) it is possible that the data contained within it will be modified, deleted, copied or even encrypted. Moving from the database to other areas of the system is not difficult, so an attacker with time and a minimum of resources and IT knowledge can really do a lot of damage.

SQLi is one of the best known attacks and one that still works today, mainly due to the poor programming of web pages in which, as already mentioned, the correct checks are not carried out on what a site user can enter as a request.

This type of attack has been publicly known since at least 1998, thanks to the article "NT Web Technology Vulnerabilities" released on Phrack by Rain Forest Puppy, pseudonym of Jeff Forristal, hacker and world security expert.

To learn more:

- http://phrack.org/issues/54/8.html

- https://www.esecurityplanet.com/networks/how-was-sql-injection-discovered/

- https://owasp.org/www-community/attacks/SQL_Injection