What is SQL Injection (SQLi)?
Part of the “injection” class, SQLi occurs when the user slips a valid SQL command/query into a web application which executes the command.
Usually, this is done by “tacking on” extra SQL to the applications input fields
Root Cause:
Input which should be treated as data is executed as a command.
Example:
A form field allows users to enter information. Instead of entering data, the user inputs a query or database command. If the web application/database treats this information as commands rather than data, SQL injection has occurred.
OWASP Definition
Injection occurs when user-supplied data is sent to an interpreter as part of a command or query, and tricks the database/operating system into executing commands.
Attacks are being attempted against you right now
Approximately 3.9 million (Dec 2009) machines on the Internet are infected with SQLi generating bots which launch SQLi in order to spread phishing-systems.
It is profitable. There is motivation.
Traditional hackers use SQLi to breach firewalls, steal data, or to explore database content.
Why? Try to make money, get credits cards, get customer email addresses and Personally Identifiable Information, enhance phishing creditability, etc.
Example Scenario
The application uses untrusted data in the construction of the following vulnerable SQL call:
String query = “SELECT * FROM accounts WHERE custID=’” + request.getParameter(“id”) +”‘”;
The attacker modifies the ‘id’ parameter in their browser to send: ‘ or ’1′=’1. This changes the meaning of the query to return all the records from the accounts database, instead of only the intended customer’s.
http://example.com/app/accountView?id=’ or ’1′=’1
In the worst case, the attacker uses this weakness to invoke special stored procedures in the database, allowing a complete takeover of the database host.
