November 14

What is SQL Injection?

SQL Injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command which is executed by a web application database.

When a web app utilizes user-provided  data without standard validation  as part of a command or query, that will cause to SQL Injection. SQL Injection allows an attacker to create, read, update, alter, or delete data stored in the back-end database. In its most common form, a SQL Injection attack gives access to sensitive information such as social security numbers, credit card number or other financial data.

SQL injection is a software vulnerability that occurs when data entered by users is sent to the SQL interpreter as a part of an SQL query.

Preventing SQL Injection

  • SQL injection can be prevented if you adopt an input validation technique in which user input is authenticated against a set of defined rules for length, type, and syntax and also against business rules.
  • You should ensure that users with the permission to access the database have the least privileges. Additionally, do not use system administrator accounts like “sa” for Web applications. Also, you should always make sure that a database user is created only for a specific application and this user is not able to access other applications. Another method for preventing SQL injection attacks is to remove all stored procedures that are not in use.