• Skip to main content
  • Skip to primary sidebar

Technipages

Tutorials and fixes for smartphone, gadget, and computer problems

  • Topics
    • Android
    • Browsers
    • Gaming
    • Hardware
    • Internet
    • iPhone
    • Linux
    • macOS
    • Office
    • Reviews
    • Software
    • Windows
    • Definitions
  • Product Reviews
  • Downloads
  • About
What Is SQL Injection?

What Is SQL Injection?

November 9, 2020 by Mel Hawthorne Leave a Comment

One of the biggest classes of web vulnerabilities is known as “SQL Injection”, or SQLi. Structured Query Language, aka SQL, is the language used to interact with the majority of databases, although a number of variants of the language are used depending on the database platform. Any website that stores user data, such as account information, or provides user upload functionality, such as an image hosting website will be using a database to store that data.

Tip: SQL is generally either pronounced “ess cue ell” or “sequel” with the first option being more common in British English and the second more prevalent in American English. Both pronunciations are generally understood in the context of talking about databases.

What is SQLi?

SQLi is a vulnerability where the web developers that design the code that communicates between the webserver and the database don’t implement protections against SQL commands being submitted by a user. The problem is that it’s possible to be able to escape out of database statements and add new arguments or an entirely new statement. The changed or second database statement can perform a range of actions including potentially large-scale deletions or data leaks.

Exploits typically revolve around making existing statements be true in all circumstances or providing a second batched command that performs a specific action such as deleting or displaying all data. For example, an SQL statement to login to a website may check if the submitted username and password match an entry in the database. To attempt to gain access an SQL injection exploit may try to add an “or true” clause such as “or 1=1”. This would make the command along the lines of “login with [this] username, if the password is [this], or this statement is true”.

How to prevent SQLi

SQLi used to be a very common way for websites to have their database breached and then leaked online. Due to a concerted effort to ensure that security awareness is part of developer training, this class of vulnerability has largely been resolved and is only rarely seen anymore.

The correct method to prevent SQLi is to use prepared statements, also known as parameterised queries. Traditionally, SQL statements are declared and have the user input concatenated into them during that declaration. With prepared statements, the database command is written out and then a sperate function runs the command and inserts user data. While this may seem like a minor difference it completely changes how the command is handled. The difference prevents any meaningful SQL commands from being run and treats all user input as a string, preventing SQL injection from happening.

Filed Under: Internet

Reader Interactions

Did this help? Let us know!

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Recent Posts

  • Windows 11: What is Dynamic Lock and How to Set It Up
  • How to Use Google Pay on Android
  • What is a Firefox Primary Password and How to Create One
  • Fix: Windows 11 Mic Not Working
  • How to Update Galaxy Tab S8
  • How to View a List of Recently Uninstalled Apps on Android
  • How to Sign Into WhatsApp on Multiple Devices
  • Dedicated Server vs. Shared Hosting Server

Who’s Behind Technipages?

Baby and Daddy My name is Mitch Bartlett. I've been working in technology for over 20 years in a wide range of tech jobs from Tech Support to Software Testing. I started this site as a technical guide for myself and it has grown into what I hope is a useful reference for all.

© Copyright 2023 Guiding Tech Media · All Rights Reserved · Privacy