What is SQL injection?
SQL injection occurs when a malicious attacker submits a database SQL command which is then executed by the web application. This results in a security vulnerability that can expose the back-end database. This is typically due to improper validation or encoding procedures. The specific commands entered by a malicious attacker tricks the web app into executing unmediated commands and data changes. During a successful SQL injection, the SQL interpreter is unable to distinguish between the intended commands and those implemented by the attacker. By utilizing this trickery, a malicious attacker can exploit vulnerabilities and gain unauthorized access to confidential areas of the network. Using SQL injection, the attacker can then create, delete, read, update, and edit data. This is typically done in order to gain access to sensitive data such as credit card numbers, social security numbers, financial information, contact information, company information, company assets and much more.
Components of an SQL Injection Attack
- A malicious user develops code that is constructed to trick the SQL interpreter into executing an action it would not normally perform.
- Data entered by the malicious user is sent to the SQL interpreter.
- The SQL interpreter analyzes the input data, but sees it as a legit command.
- One the action has been performed, the malicious user may have full access to sensitive company data.
See SQL Injection Cheat Sheet, Attack Examples & Protection at Vulnerability Knowledge Base.