SQL Injections

SQL injection attacks are a type of injection attack, in which SQL commands are injected into data input forms in order to impact the execution of predefined SQL commands (OWASP, 2022). As a common attack vector, it refers to attacks implemented using malicious SQL code by virtue of a code injection technique with the aim of obtaining unauthorized access to sensitive data in a database. In other words, the injection attack can make it possible to execute malicious SQL statements, which control a database server behind a web application. Unfortunately, it is the most common web hacking technique employed by attackers, as a result of vulnerabilities in the SQL statements.

As a web security vulnerability, it enables an attacker to interfere with the queries that an application makes to a database. According to OWASP, the main consequences of SQL injection are its effects on confidentiality, authentication, authorization, and integrity. For example, in a situation where the SQL injection attack is successful, it can lead to unauthorized access to sensitive data such as personally identifiable information, passwords, credit card details, and many others. A typical example includes retrieving hidden data or subverting application logic. The risks of SQL injections can be mitigated or minimized by implementing defense mechanisms and controls such as input validation, stored procedures, the principle of least privilege, and adopting application development best practices.

References

OWASP (2022). SQL Injection. Retrieved from https://owasp.org/www-community/attacks/SQL_Injection