One of the biggest classes of web vulnerabilities is known as “SQL Injection”, or SQLi. Structured Query Language, aka SQL, is the language used to interact with the majority of databases, although a number of variants of the language are used depending on the database platform. Any website that stores user data, such as account information, or provides user upload functionality, such as an image hosting website will be using a database to store that data.
Tip: SQL is generally either pronounced “ess cue ell” or “sequel” with the first option being more common in British English and the second more prevalent in American English. Both pronunciations are generally understood in the context of talking about databases.
What is SQLi?
SQLi is a vulnerability where the web developers that design the code that communicates between the webserver and the database don’t implement protections against SQL commands being submitted by a user. The problem is that it’s possible to be able to escape out of database statements and add new arguments or an entirely new statement. The changed or second database statement can perform a range of actions including potentially large-scale deletions or data leaks.
Exploits typically revolve around making existing statements be true in all circumstances or providing a second batched command that performs a specific action such as deleting or displaying all data. For example, an SQL statement to login to a website may check if the submitted username and password match an entry in the database. To attempt to gain access an SQL injection exploit may try to add an “or true” clause such as “or 1=1”. This would make the command along the lines of “login with [this] username, if the password is [this], or this statement is true”.
How to prevent SQLi
SQLi used to be a very common way for websites to have their database breached and then leaked online. Due to a concerted effort to ensure that security awareness is part of developer training, this class of vulnerability has largely been resolved and is only rarely seen anymore.
The correct method to prevent SQLi is to use prepared statements, also known as parameterised queries. Traditionally, SQL statements are declared and have the user input concatenated into them during that declaration. With prepared statements, the database command is written out and then a sperate function runs the command and inserts user data. While this may seem like a minor difference it completely changes how the command is handled. The difference prevents any meaningful SQL commands from being run and treats all user input as a string, preventing SQL injection from happening.