What is an SQL Injection Attack?

SQL (Structured Query Language) injection is an attack that exploits an insecure coding weakness within an application that interacts with a back-end database.

Why are SQL injection attacks so dangerous?

The impact of an exploitable SQL injection vulnerability could lead to an attacker gaining access to partial data, or in some cases the full disclosure of all data within the database. Depending upon the database software it may be possible for an attacker to gain remote access to the backend systems through remote code execution.

How does an SQL injection attack work?

Exploiting SQL injection requires an attacker to insert malicious characters into an HTTP request parameter that is interpreted by the server as forming part of the SQL query itself. This most often causes the genuine query to fail, but instead action the inserted query content in its place.

How to mitigate SQL injection vulnerabilities

Modern application frameworks and programming languages offer functionality and development methods that are secure by design. Implementing SQL queries using stored procedures or parameterising dynamic queries is the most recommended course of action. Additional server-side input sanitisation can be performed but is not the sole recommendation as this can often be bypassed by a determined attacker.

If you like this blog post, find more content in our Glossary.