SQL injection
SQL injection is a prevalent cyberattack technique employed by hackers to manipulate database systems through structured query language (SQL). This method involves inserting malicious SQL code into web forms, which can lead to unauthorized access and manipulation of sensitive data stored in databases. Typically targeting user input fields, attackers can exploit vulnerabilities by submitting harmful SQL statements instead of standard data, enabling them to retrieve confidential information such as usernames, passwords, and financial details.
The origins of SQL injection attacks can be traced back to the late 1990s, coinciding with the rise of web applications that utilized SQL for database management. Over the years, it has become one of the most common forms of data breaches, reportedly responsible for a significant percentage of such incidents between 2005 and 2011. Notable examples of SQL injection attacks include incidents involving high-profile organizations like NASA and the Wall Street Journal.
Defending against SQL injection is relatively straightforward and can include practices such as input sanitization, implementing firewalls, and restricting database access. By filtering out suspicious inputs and avoiding SQL code in areas meant for user interaction, organizations can mitigate the risks associated with this type of vulnerability.
On this Page
Subject Terms
SQL injection
An SQL injection is a common technique used by hackers to gain access to a computer database. An SQL injection inserts malicious code into a web form application using structured query language (SQL) statements. SQL is a standardized programming language used to access and manage databases and perform various operations, such as requesting user names and passwords. An SQL injection is one of the oldest, easiest to implement, and most widely used attacks found in computer hackers' arsenals. It is also one of the easiest to defend against. The method most likely began in the late 1990s and has been used against such targets as the National Aeronautics and Space Administration (NASA) and the Wall Street Journal.
Background
In the first decades of the computer era, the term hacker was not associated with malicious activity. It was believed to have originated in the 1950s at the Massachusetts Institute of Technology (MIT) to refer to students who used to like to "hack" around with the electrical system of model trains. In the 1960s, the term became almost exclusively attached to curious computer users. A hacker referred to someone who liked to work on developing shortcuts to make the large, room-sized computers of the day more efficient.
In the early 1970s, a computer programmer named John Draper developed a way to use a toy whistle from a cereal box to get free long-distance phone calls. Draper, who called himself "Captain Crunch" after the cereal, used the whistle to mimic the audio tone used by the phone company. His discovery spawned a dedicated group of phone hackers who called themselves phreakers. Communities of telephone and computer hackers developed in the 1980s; however, much of their activity was more mischievous and subversive than malicious. With the proliferation of the internet in the 1990s, computer crime became more pronounced. Banks, government offices, and internet providers became prime targets of the attacks. As a result, the term computer hacker started to become associated with criminal acts.
Hackers can use numerous methods to gain access to a computer or a network. Among the most common are virus or trojan attacks, damaging software programs that mimic legitimate software to get installed into a system. From there, they perform a number of malicious tasks, such as stealing, copying, or deleting files or data. Other methods used by hackers include phishing attacks, in which victims are sent a fraudulent link to a real website to trick them into entering personal information. Hackers can also use software to keep track of users' keystrokes as a way of guessing their passwords or trick users into clicking on fake ads that funnel them to a page infected with malicious software.
Overview
As the internet boom of the 1990s was evolving, website developers began creating more user-friendly pages to help people better navigate the online world. Among the innovations was a web form, an online page resembling a document that allows users to enter data that is then transmitted to a server for processing and storage in a database. Web forms typically feature spaces for text and password information, checkboxes, and a button to submit the data. The programming language used to manage the information database is called structured query language (SQL). A website uses SQL when it needs to access a piece of information from its database, either for processing or to be presented to a user.
In the late 1990s, hackers began targeting SQL as a way to gain access to database information. Computer experts first noticed this type of attack around 1998, when they discovered attacks that were "piggybacked" onto SQL commands. The attacks occur when hackers introduce a security vulnerability that adds malicious SQL code to a web form input, forcing the database to perform tasks it was not intended to do. When prompted to input information, such as a user name or a request for some website content, a hacker instead provides an SQL statement that would unknowingly run on a database.
For example, a company website may contain a list of models of a specific laptop computer it offers for sale. Instead of requesting that list, an attacker would add an SQL code to trick the computer into accessing new data, such as the email addresses of anyone who may have purchased one of those laptops. Hackers can also add fake administrator commands, changing login values or altering special characters in SQL statements. This can effectively bypass a password verification system and allow the hacker to login as an administrator. The hacker can then freely alter or gain access to the data in the database, including user names, passwords, credit card numbers, and other personal information.
SQL injections are one of the most widely used forms of illegal entry for hackers. Statistics from 2011 estimate such attacks were responsible for 83 percent of data breaches from 2005 to 2011. "Sanitizing," or filtering out suspicious or nonconforming input is one of the easiest ways to defend against the practice. Others include using a firewall to monitor web applications, limiting access to a database, or avoiding SQL code in areas designed for user input altogether.
In 2009, a hacker used an SQL injection to access the administrative credentials of twenty-five employees at NASA's Instrument Systems and Technology Division and Software Engineering Division. In 2014, a hacker accessed the databases of the Wall Street Journal and offered to sell the newspaper's information online. SQL injections were also responsible for hackers stealing passwords from securities firm HB Gary Federal in 2011, an attack on Chinese toy company VTW in 2015 that compromised the personal information of millions of people, and the theft of millions of debit and credit card numbers from Heartland Payment Systems in 2015.
Bibliography
Clarke, Justin. SQL Injection Attacks and Defense. Syngress, 2012.
Cox, Joseph. "The History of SQL Injection, the Hack That Will Never Go Away." Motherboard, 20 Nov. 2015, motherboard.vice.com/en‗us/article/aekzez/the-history-of-sql-injection-the-hack-that-will-never-go-away. Accessed 30 Nov. 2017.
Devitt, Michael. "A Brief History of Computer Hacking." Dynamic Chiropractic, 8 June 2001, www.dynamicchiropractic.com/mpacms/dc/article.php?id=18078. Accessed 30 Nov. 2017.
"14 Years of SQL Injection and Still the Most Dangerous Vulnerability." Netsparker, www.maicar.com/GML/Daedalus.html. Accessed 1 Dec. 2017.
Rouse, Margaret. "SQL Injection." TechTarget, searchsoftwarequality.techtarget.com/definition/SQL-injection. Accessed 1 Dec. 2017.
"SQL Injection (SQLi)." Acunetix, www.acunetix.com/websitesecurity/sql-injection/. Accessed 30 Nov. 2017.
Weiss, Aaron. "How to Prevent SQL Injection Attacks." eSecurity Planet, 28 June 2016, www.esecurityplanet.com/hackers/how-to-prevent-sql-injection-attacks.html. Accessed 1 Dec. 2017.
Zetter, Kim. "Hacker Lexicon: SQL Injections, an Everyday Hacker's Favorite Attack." Wired, 11 May 2016, www.wired.com/2016/05/hacker-lexicon-sql-injections-everyday-hackers-favorite-attack/. Accessed 1 Dec. 2017.