Relational databases store information in tables — with columns that are analogous to elements in a data structure and rows which are one instance of that data structure. The SQL language is used to interact with that database information.
SQL injection refers to programming laziness when dealing with processing SQL allows clever attackers to manipulate HTML forms to “poison” SQL to subvert security measures and open up all your data to their scrutiny. There are few circumstances more terrifying than discovering your precious intellectual property, customer information including credit card details, and more are being perused by your competition or being sold on the dark web.
Herein we cover the basics of SQL injection, a huge topic with decades of background, to provide the first steps in understanding the importance of properly handling your SQL, the techniques used by your adversaries (even if you didn’t realize you had adversaries), and starting points to armoring your database.
The SQL injection attack works on “poisoning” dynamic SQL statements to cause a behavior other than what the programmers intended. A “dynamic statement” is one that’s generated at run-time using parameters passed in from a web form or URI query string.
Continue Reading