SQL injection

Structured query language injection

"This server is vulnerable to an SQL injection attack. Make sure the input SQL query is validated."

Problem

An SQL injection attack is a type of vulnerability in the code of websites and web applications. This vulnerability allows an attacker to hijack back-end processes and interfere with the queries that an application makes to its database.

SQL injection attacks happen when data enters a program from an untrusted source. The data is then used to dynamically construct an SQL query.

When SQL injection attacks are successful, attackers can:

  • Log in to an application or a website front-end without a password.
  • Access, modify, and delete stored data from secured databases.
  • Create their own database records or modify existing records, paving the way for more attacks.

Solution

Prevent SQL injection attacks by:

  1. Using prepared statements (with parameterized queries) to make sure that the parameters (inputs) passed into SQL statements are handled in a safe manner.

  2. Allowlisting input data validation (do not blocklist). Do not filter user input based on blocklists. Attackers almost always find a way to bypass your list. If possible, verify and filter user input using strict allowlists only.

  3. Escaping special characters from input parameters when parameterized queries and validation of input data are not possible.

  4. Enforcing the principle of least privilege, strengthening access controls to your website to reduce security threats.

    To implement this principle:

    • Use the minimum set of privileges on your systems to perform an action.
    • Give privileges only for as long as the action is needed.
    • Do not give administrator access rights to application accounts.
    • Minimize the privileges of each database account in your environment.