What is SQL Injection?
SQL Injection is a code injection technique used to attack data-driven applications. In this technique, malicious SQL statements are inserted into an entry field for execution. This allows attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
Types of SQL Injection
There are several types of SQL Injection, each with its own specific techniques and potential impacts:
- Classic SQLi: Also known as In-band SQLi, it is the most straightforward type, where the attacker uses the same communication channel to both launch the attack and gather results.
- Blind SQLi: In this type, the attacker is unable to see the result of an attack in-band, making the attack slower as the attacker has to send a payload and then observe the response and behavior of the database server.
- Out-of-band SQLi: This type is not very common, mostly because it depends on features being enabled on the database server used by the web application. It involves having the database server issue a DNS or HTTP request to deliver data to the attacker.
SQL Injection Techniques
There are several techniques that attackers use to exploit SQL Injection vulnerabilities:
- Union-based SQLi: This technique leverages the UNION SQL operator to combine the results of the original query with results from injected malicious queries.
- Error-based SQLi: This technique forces the database to generate an error, giving the attacker information upon which to refine their injection.
- Time-based blind SQLi: This technique forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.
- Boolean-based blind SQLi: This technique forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.
Preventing SQL Injection
Preventing SQL Injection involves input validation and parameterized queries. Input validation involves checking user input against a set of rules (a whitelist) and rejecting any inputs that do not meet these rules. Parameterized queries involve using predefined SQL code and supplying parameters (values) separately rather than inserting them directly into the SQL code.