SQL injections require considerable skill to execute, but the effects can be dramatic. Simply put, a SQL injection is designed to exploit “holes” in the application. If an attacker has the appropriate knowledge of SQL and a vulnerable web application, such an attack can yield a tremendous amount of access to the database on the website and the web applications that rely on it.

What are the tools you will need to perform a SQL injection? If your target website lacks input validation, all you really need is a web browser and a knowledge of SQL.

The environment and platform affected can be:

• Language—SQL

• Platform—Any

SQL injections are common and are serious issues with any website that uses a database as its back end. Those with sufficient knowledge can easily detect and exploit flaws. Because many websites use databases as their back end to provide a rich experience for the visitor, this kind of attack can affect even small-scale sites.

Essentially, a SQL injection is carried out by placing special characters into existing SQL commands and modifying the behavior to achieve the attacker’s desired result.

The following example illustrates a SQL injection in action and how it is carried out. This example also illustrates the effect of introducing different values into a SQL query.

In the following example, after an attacker with the username “kirk” inputs the string 'name'; DELETE FROM items;-- ' for itemname, the query becomes the following two queries:

Several of the well-known database products, such as Microsoft’s SQL Server, allow multiple SQL statements separated by semicolons to be executed at once. This technique is formally known as batch execution and allows an attacker to execute multiple arbitrary commands against a database. In other databases, this technique will generate an error and fail, so knowing the database you are attacking is essential.

If an attacker enters the string 'name'; DELETE FROM items; SELECT * FROM items WHERE 'a'='a';, the following valid statements will be created:

A good way to prevent SQL injection attacks is to use input validation, which ensures that only approved characters are accepted. Use whitelists, which dictate safe characters, and blacklists, which dictate unsafe characters. Because one attack point is during the transmission to the server, it is necessary to validate all input received on the server even if the initial input was validated on the client. Complete server validation is the only way to trust data. Additionally, most implementations of SQL support stored procedures. Web application developers can use prewritten stored procedures and pass data as parameters instead of just passing SQL queries. Using stored procedures can make successful SQL injection attacks much harder to carry out.