"This server is vulnerable to an SQL injection attack. Make sure the input SQL query is validated."
An SQL injection attack is a type of vulnerability in the code of websites and web applications. This vulnerability allows an attacker to hijack back-end processes and interfere with the queries that an application makes to its database.
SQL injection attacks happen when data enters a program from an untrusted source. The data is then used to dynamically construct an SQL query.
When SQL injection attacks are successful, attackers can:
Prevent SQL injection attacks by:
Using prepared statements (with parameterized queries) to make sure that the parameters (inputs) passed into SQL statements are handled in a safe manner.
Allowlisting input data validation (do not blocklist). Do not filter user input based on blocklists. Attackers almost always find a way to bypass your list. If possible, verify and filter user input using strict allowlists only.
Escaping special characters from input parameters when parameterized queries and validation of input data are not possible.
Enforcing the principle of least privilege, strengthening access controls to your website to reduce security threats.
To implement this principle: