SQL Injection Cheat Sheet & Tutorial:

Vulnerabilities & How to Prevent SQL

Injection Attacks
What is SQL Injection?

SQL injection is a type of web application

security vulnerability in which an attacker is able to submit a database SQL
command that is executed by a web application, exposing the back-end database. A
SQL injection attack can occur when a web application utilizes user-supplied data
without proper validation or encoding as part of a command or query. The specially
crafted user data tricks the application into executing unintended commands or
changing data. SQL injection allows an attacker to create, read, update, alter or
delete data stored in the back-end database. In its most common form, a SQL
injection attack gives access to sensitive information such as social security
numbers, credit card numbers or other financial data. According to Veracodes State
of Software Security Report, SQL injection is one of the most prevalent types of
web application security vulnerability.

Key Concepts of a SQL Injection Attack

SQL injection is a software vulnerability that occurs when data entered

by users is sent to the SQL interpreter as a part of a SQL query.
Attackers provide specially crafted input data to the SQL interpreter
and trick the interpreter to execute unintended commands.
Attackers utilize this vulnerability by providing specially crafted input
data to the SQL interpreter in such a manner that the interpreter is not
able to distinguish between the intended commands and the attackers
specially crafted data. The interpreter is tricked into executing unintended
commands.
A SQL injection attack exploits security vulnerabilities at the database
layer. By exploiting the SQL injection flaw, attackers can create, read,
modify or delete sensitive data.

SQL Injections: The Most Prevalent Type of Application Security

Vulnerability

With more than 20 percent of all web vulnerabilities being attributed to SQL injection,
this is the second most common software vulnerability. Therefore, having the ability
to find and prevent SQL injection should be top of mind for web developers and
security personnel. In general, a SQL injection attack exploits a web application that
does not properly validate or encode user-supplied input and then uses that input as
part of a query or command against a back-end database. For example, a typical
form may ask for an ID and create a URL:
"http://www.somewebsite.com/id/id.asp?id=somedata". An attacker using
SQL injection may enter "somedata or 1=1". If the web application does not
properly validate or encode the user-supplied data and sends it directly to the
database, the reply to the query will expose all IDs in the database, since the
condition "1=1" is always true. This is a basic example, but it illustrates the
importance of sanitizing user-supplied data before using it in a query or
command.

SQL Injection Video

The following video tutorial on SQL injection walks you through more on topics such
as "what is SQL injection?" "methods of SQL injection protection" and "how to avoid
a SQL injection attack."
Lets look at the example code below.

You will notice that user input is required to run this query. The interpreter will execute
the command based on the inputs received for the username and password

fields.
If an attacker provides or 0=0 as the username and password, then the query will be
constructed as:
String SQLQuery =SELECT Username, Password FROM users WHERE
Username= or 0=0 AND Password= or 0=0;

Since under all circumstances, zero will be equal to zero, the query will return all records
in the database. In this way, an unauthorized user will be able to view sensitive

information.

Preventing SQL Injection

You can prevent SQL injection if you adopt an input validation

technique in which user input is authenticated against a set of defined
rules for length, type and syntax and also against business rules.
You should ensure that users with the permission to access the
database have the least privileges. Additionally, do not use system
administrator accounts like sa for web applications. Also, you should
always make sure that a database user is created only for a specific
application and this user is not able to access other applications. Another
method for preventing SQL injection attacks is to remove all stored
procedures that are not in use.
Use strongly typed parameterized query APIs with placeholder
substitution markers, even when calling stored procedures.
Show care when using stored procedures since they are generally safe
from injection. However, be careful as they can be injectable (such as via
the use of exec() or concatenating arguments within the stored procedure).

SQL Injection Cheat Sheet

The following SQL Injection Cheat Sheet provides a summary of everything you need to
know about SQL injection. The SQL Injection Cheat Sheet contains the key concepts of
a SQL injection attack, a SQL injection example and tips to avoid a SQL injection hack.
Download our SQL Injection Cheat Sheet

"What is SQL Injection?" an Injection Attack Infographic

To further illustrate injection attacks and preventative steps, we've created this original
infographic titled "What is SQL injection," which serves as a visual tutorial to
demonstrate how you might be vulnerable to injection attacks, how you can prevent SQL
injection and an additional example of SQL injection. If you like this infographic, please
share it. And you can embed it on your website with the HTML code below it.