SQL injection is a type of vulnerability in database access code that allows attackers to execute unauthorized queries on the database. SQL injection typically occurs when an application uses input to construct dynamic SQL statements to access the database. SQL injection may also occur if stored procedures use dynamic queries that include untrusted input. Using the SQL injection attack, an attacker can execute arbitrary commands on the database with the privileges of the application. SQL injection applies to all applications that query SQL databases.
SQL injection allows the attacker to access any data in the database. The attacker will usually use this to extract any sensitive data from the database. If there are any passwords in the database, the attacker is likely to try to use them to login as the administrator and take over the application or the server. Some database servers allow so-called "stacked queries". "Stacked queries" allow executing multiple queries separated by a semi-colon from one string. If "stacked queries" are enabled, SQL injection allows the attacker to execute any queries on the database server. This usually allows the attacker to take full control of the application. Many database servers also allow executing arbitrary operating system commands. The attacker may abuse that functionality with SQL injection to take full control of the application or the server.
To prevent this problem, validate all input and use parameterized APIs for database access.
Validate all input:
- Validate Input from All Sources
- Validate Input for Length, Range, Format, And Type
- Validate All Input Passed to the Database
- Input Validation Using JSF
- Input Validation Using SpringMVC
- Input Validation Using Struts 1
- Input Validation Using Struts 2
Use parameterized APIs for database access:
To check for adequate protection against this vulnerability, ensure that all input is validated and that parameterized APIs are used for database access.
All input is validated:
- Input from All Sources Is Validated
- Input Is Validated for Length, Range, Format And Type
- All Database Input Is Validated
Parameterized APIs are used for database access:
Computer Based Training Links
Use the following Computer Based Training courses to learn more about SQL Injection including techniques for remediation and prevention.
OWASP Top Threats & Mitigations
This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.
Creating Secure Code – JRE Foundations
In this course, you will learn to recognize and remediate common Java Web software security vulnerabilities. This course has three modules, which introduce you to these vulnerabilities and help you to identify and remediate them.
Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact email@example.com for help.
- For more information about SQL injection attacks, please see http://en.wikipedia.org/wiki/SQL_injection