SQL injection is an attack targeting web applications taking advantage of poor application coding where the inputs are not sanitized therefore exposing application vulnerabilities. SQL injection is the most famous type of injection attacks which also count LDAP or XML injections. The idea behind a sql injection is to modify an application SQL (database language) query in order to access or modify unauthorized data or run malicious programs. Most web applications indeed rely on databases where the application data is stored and being accessed by SQL queries and modifications of these queries could mean taking control of the application. An attacker would for example be able to access the application database with administrator access, run remote commands on the server, drop or create objects in the database and more.
For instance, the sql query below, aiming at authenticating users, is common in web applications:
myQuery= ”SELECT * FROM userstable WHERE username = 'userinput1' and password ='userinput2';”
- Replacing userinput1 by: ‘OR 1=1’); -- would result in granting the attacker access to the database without knowing the real username and password as the assertion “1=1” is always true and the rest of the query is being ignored by the comment character (- - in our case).
Replacing the userinput1 by ' OR 1=1"); drop table users;-- would additionally drop the application users table.