What Is SQL Injection: How to Prevent SQL Injection

In today’s world where technology is booming, web hacking techniques are becoming popular, especially the ones that can destroy your applications. SQL Injection is one such technique that can attack data-driven applications. In this article, you will see what SQL Injection is, and how SQL Injection uses malicious SQL codes to access information that can destroy your database.

What Is SQL Injection?

SQL Injection is a code-based vulnerability that allows an attacker to read and access sensitive data from the database. Attackers can bypass security measures of applications and use SQL queries to modify, add, update, or delete records in a database. A successful SQL injection attack can badly affect websites or web applications using relational databases such as MySQL, Oracle, or SQL Server. In recent years, there have been many security breaches that resulted from SQL injection attacks.

SQLnjection

With this basic understanding of ‘what is SQL Injection’, you will now look at the different types of SQL Injection.

Become a Certified Ethical Hacker!

CEH v12 - Certified Ethical Hacking CourseExplore Program
Become a Certified Ethical Hacker!

Types of SQL Injection

TypesofSQLInjection

In-band SQLi - The attackers use the same communication channel to launch their attacks and collect results.

The two common types of in-band SQL injections are Error-based SQL injection and Union-based SQL injection.

  1. Error-based SQL injection - Here, the attacker performs certain actions that cause the database to generate error messages. Using the error message, you can identify what database it utilizes, the version of the server where the handlers are located, etc.
  2. Union-based SQL injection - Here, the UNION SQL operator is used in combining the results of two or more select statements generated by the database, to get a single HTTP response. You can craft your queries within the URL or combine multiple statements within the input fields and try to generate a response.

Blind SQLi - Here, it does not transfer the data via the web application. The attacker can not see the result of an attack in-band.

  1. Boolean-based SQL Injection - Here, the attacker will send an SQL query to the database asking the application to return a different result depending on whether the query returns True or False.
  2. Time-based SQL Injection - In this attack, the attacker sends an SQL query to the database, which makes the database wait for a particular amount of time before sharing the result. The response time helps the attacker to decide whether a query is True or False.

Out-of-bound SQL Injection - Out-of-bound is not so popular, as it depends on the features that are enabled on the database server being used by the web applications. It can be like a misconfiguration error by the database administrator.

Now, it’s time to understand another important topic in this article titled ‘What is SQL Injection’, i.e., how to prevent SQL injection?

How Does SQL Work On a Website?

A website has three major components - Frontend, Backend, and Database.

At the frontend, a website is designed using HTML, CSS, and JavaScript. At the backend, you have scripting languages such as Python, PHP, Perl, etc. The server side has databases such as MySQL, Oracle, and MS SQL Server, to execute the queries. 

When you write a query, you generally send a get request to the website. Then, you receive a response from the website with HTML code. 

Using the Postman API tool, you can test the responses that you get from various websites.

Become a Certified Ethical Hacker!

CEH v12 - Certified Ethical Hacking CourseExplore Program
Become a Certified Ethical Hacker!

Demo on SQL Injection

  • Go to Google Chrome or any web browser and search for owasp broken web apps
  • Click on the sourceforge.net link
  • Select the Download option to download the OWASP Broken Web Applications Project

DemoonSQLInjection

This application has been developed by the Open Web Application Security Project that periodically releases the top 10 risks that an application will face for a particular year. It has a collection of vulnerable web apps that are distributed on a Virtual Machine. 

This project has in-built vulnerabilities for learners and professionals to practice and develop their skills on how SQL injection works. 

Note: Performing SQL Injection in the real-world on any website is illegal.

  • After downloading the OWASP Broken Web Apps virtual machine, open it on a VMware workstation.
  • You can see the IP address of the machine. In this case, it’s 192.168.71.132

DemoSQLInjection_2

  • Use the IP address mentioned above and open it on a browser

You will find training applications, and realistic, intentionally vulnerable applications.

You can also find old versions of real applications and much more.

DemoSQLInjection_3
DemoSQLInjection_4

DemoSQLInjection_5

For the demonstration, you’ll be using the OWASP Mutillidae II application.

DemoSQLInjection_6

On the left, you can see the OWASP top 10 risks for 2013, 2010, and 2007. 

Click on SQLi - Bypass Authentication > Login

DemoSQLInjection_7png

You will enter a regular login authentication page that any application may ask for.

DemoSQLInjection_8

Suppose you enter an anonymous username and password, that won’t allow you to log in.

DemoSQLInjection_9

Let’s write an SQL statement in the username and try to login again.

  • My Username will be: ‘ or 1=1 -- 
  • Click on Login
  • You will log in this will time with a status update saying it has authenticated the user

DemoSQLInjection_10

The single quote (‘) is an operator that goes to the database server, selects the default user tables, and compares it to the condition that is given. That condition that you gave was 1=1, which is always true. So, it selected the default user table that was available in the database, and instead of comparing it to a password, it compared it to the condition.

If you give a false condition like 1=2, you will get an error message “Account does not exist”.

DemoSQLInjection_12

Now, that you have looked at a demonstration on how an SQL query can be used to login to an application, let’s understand the last topic in this article on ‘what is SQL Injection’.

Become a Certified Ethical Hacker!

CEH v12 - Certified Ethical Hacking CourseExplore Program
Become a Certified Ethical Hacker!

How to Prevent SQL injection?

DemoSQLInjection_13

  1. Use prepared statements and parameterized queries - Parameterized statements ensure that the parameters passed into the SQL statements are treated safely.
  2. Object-relational mapping - Most development teams prefer to use Object Relational Mapping frameworks to translate SQL result sets into code objects more seamlessly. 
  3. Escaping inputs - It is a simple way to protect against most SQL injection attacks. Many languages have standard functions to achieve this. You need to be aware while using escape characters in your code base where an SQL statement is constructed. 

Some of the other methods used to prevent SQL Injection are:

  • Password hashing
  • Third-party authentication
  • Web application firewall
  • Purchase better software
  • Always update and use patches
  • Continuously monitor SQL statements and database

Conclusion

SQL Injection attacks can exploit an organization’s database and control a database server behind a web application. After reading this article, you explored ‘what is SQL injection’ and its types. You looked at a demonstration using the OWASP application and learned how to prevent SQL Injection.
If you are looking for comprehensive training in sql to master all language, Simplilearn’s Advanced Executive Program In Cyber Security course is what you need. Covering all the essential SQL fundamentals in a cutting-edge curriculum, the course gives you everything you need to master the language and begin a rewarding career as a SQL expert. 

Do you have any questions related to this article? If you do, then please put them in the comments section of this article. Our team will help you solve your queries.

To learn more, click on the following link: SQL Injection 

About the Author

Shruti MShruti M

Shruti is an engineer and a technophile. She works on several trending technologies. Her hobbies include reading, dancing and learning new languages. Currently, she is learning the Japanese language.

View More
  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.