An SQL injection attack, also known as an SQL insertion attack, is a coding injection technique which exploits security vulnerabilities in the database layer of an application.

They can be performed whenever data captured from an end user is not properly parsed or validated before being used in conjunction with a dynamic SQL statement to interact with the database and can cause unexpected – and often undesired – results. For instance, instead of simply returning information from a table, tables could be populated with malicious code, such as malware JavaScript, or dropped altogether. Sensitive personal information could also be pulled from the database, which would of course be a major breach of security and privacy.

To guard against SQL injection attacks it is advisable to avoid directly using user input with dynamic SQL statements. User input should be validated to ensure it only contains data that it should contain, for example if numeric data is expected then the application should check that the input is indeed numeric. White-listing data to ensure that user input correlates to an expected range of values is another option.

Parameterised statements can also be used, which use parameters, sometimes called placeholders or bind variables, instead of embedding the user input into the statement. The SQL statement is fixed and the user input is bound to parameters. If the input does not conform to what is expected of it, the application will break. Thus, it is also advisable to ensure that this is accounted for – it looks unprofessional if your web page or application gives a default client-side error because the coding is broken.

SQL injection attack examples:

WHID 2006-3: Russian hackers broke into a RI GOV website

Mass SQL Injection Attack Targets Chinese Web Sites

Huge Web hack attack infects 500,000 pages