SQL Injection

SQL Injection

An SQL Injection is a type of attack on a computer system. It injects “bad” code into a database in an attempt to manipulate the database, expose sensitive information, or otherwise disrupt business operations.

Terms related to SQL Injection: Structured Query Language, SQL, Vulnerability, Exploit, Cybersecurity, Malware, Breach, Encryption, Patch.

Structured Query Language (SQL) is a popular computer language that is used to query, access, and manage databases. SQL is widely used across all industries, sectors, and database technologies. Because databases are where customer, business, and other sensitive data is held, they are a popular target for criminals and hackers.

An SQL injection attack takes advantage of undiscovered, unpatched vulnerabilities in a database. SQL code allows complex arguments to be passed into a database, and if these arguments are configured and inserted in a specific way, they can cause problems elsewhere in the data.

SQL code can be passed into a database using a standard user interface like a web form or application access. The criminal simply tries various iterations of SQL code in certain fields to see if they can find vulnerabilities. For example, a particular piece of bad code may expose unintended data or cause the database to run specific queries that can compromise database security.

Increasingly, automated hacking tools are making SQL injection attacks more common. A hacker can find a web form or application access, enter certain parameters into their tool and then let that tool try and find compromising queries.

The best ways to defend against SQL injection attacks are to run vulnerability assessments against databases and patch them accordingly. Additionally, database input and query fields should be carefully examined and have filters applied so that they only accept specific types of input. They can be configured to reject other types of input and to log and report on unexpected code injections.