SQL injection (or SQLi) is a serious vulnerability responsible for many high-profile data breaches.
SQL injection typically allows an attacker to extract the entire database from the vulnerable website, including user information, encrypted passwords, and business data. This can subsequently lead to mass compromise of user accounts, data being encrypted and held to ransom, or stolen data being sold to third parties. Many SQL injection vulnerabilities can be easily found and abused using off-the-shelf tools, making them highly likely to be exploited than vulnerabilities that require a skilled attacker.
SQL injection vulnerabilities normally arise when an application incorporates user data into a database query in an unsafe manner. An attacker can manipulate the data to cause their own database query to execute, allowing them to read or modify the contents of the database.
Organizations that fall victim to SQL injection attacks are often unaware that the vulnerability has been exploited. In some cases, victims become aware of vulnerabilities many months or years after they have been exploited by attackers to steal the organization's data.
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
A wide range of damaging attacks can often be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and taking control of the database server.
The most effective way to prevent SQL injection attacks is to use parameterized queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already been defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterized queries. It is strongly recommended that you parameterize every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective: