What is SQL Injection?

What is it?

Put simply, SQL or sometimes “sequel” injection is a web site security fault that enables a hacker to steal the private or confidential data that you have available on your web site. It is surprisingly common, can have a devastating business impact, and is easy to prevent. Now you too can answer the question “What is SQL injection ?”.

How does it happen?

In order to carry out business functions such as allowing your users to log on, or to pay for goods using a credit/debit card, your e-commerce web site will typically have a database containing such things as your customers’ account details, passwords, and other valuable data.

If your web site does not carefully control what your users are allowed to type in to your web site, a hacker may find a way of executing (or “injecting”) his own commands instead, and will gain access to this vital data (and anything else that the web site stores or has access to).  Your data will then be quickly stolen.

It’s as simple as that.

How can I detect and prevent SQL injection attacks?

Prevention is better than cure. The key party to involve in this discussion is the web site developer. The developer can do much to prevent this kind of attack. For example, by carefully checking all inputs to the web site (e.g. forms and other inputs) to ensure that they are as expected, and by rejecting anything that is unexpected.

Preventative measures are good, but as the owner of the site, you should also take it upon yourself to confirm that your site is not vulnerable. SQL Injection is just one of a range of security problems that could affect your web site, so we would always recommend a regular regime of cyber security health checks in order to detect security issues before the bad guys do.

Summary

Hopefully, I’ve answered the “What is SQL injection” question sufficiently well for you to know that unless you actively prevent and check for these things, you have no certain way of knowing if you’re vulnerable or not. Therefore you need to:

  1. Work with your developer or software vendor to ensure that the web site correctly handles all inputs.
  2. Independently (by which I mean, don’t take your developers’ word for it) test and verify that your site isn’t vulnerable.
  3. Ensure that any issues discovered are fixed properly
  4. Repeat this cycle on a regular basis

Further reading

This post is aimed at the non-technical reader. However, if you’re a developer or have technical responsibility for web sites and applications, you could continue by reading the Wikipedia and OWASP entries on SQL injection. Or you could get in touch with us.

PS: What is “SQL” anyway?

“SQL” stands for Structured Query Language, and it is used by both applications and developers to interact with databases. Examples of commonly used databases in e-commerce include MySQL and Microsoft SQL Server. Now you know.

We are hiring Penetration Testers. Do you have what it takes?

Leave a Reply