What Is An SQL Injection? [MakeUseOf Explains]
The world of Internet security is plagued with open ports, backdoors, security holes, Trojans, worms, firewall vulnerabilities and a slew of other issues that keep us all on our toes every day. For private users, viruses and worms seem to be the worst of the possibilities. But for anyone running a database, the SQL injection is one of the most destructive security flaws out there.
Databases are extremely valuable in the realm of computers. They’re essential for storing data as memory and showing the various relationships between points of data. Here at MakeUseOf, we have numerous databases dedicated to various tasks: one for all of our articles, one for our userbase, one for our Rewards program, and the list goes on. What happens when our databases are maliciously attacked – or even destroyed?
When you don’t have actual access to a database, the SQL injection is one of the most prominent forms of attack. Keep reading to learn what it is exactly and how it can be so dangerous.
What Is SQL, Anyway?
To understand SQL injection, you have to first understand what SQL is and how it relates to a website. SQL, which stands for Structured Query Language, is a type of programming language optimized for managing tabular data. For all intents and purposes, it’s just a way for programmers to communicate with a database and give it commands.
Whenever a database is being acted upon, there are SQL commands being given and processed. If you think about all of the times when a database is being acted upon, you’ll conclude that it only happens in a handful of circumstances:
- When new data needs to be inserted,
- When current data needs to be changed,
- When old data needs to be deleted,
- When a particular piece of data needs to be searched and retrieved.
Any time one of these actions needs to occur, an SQL command is being executed somewhere on a server. For the most part, the programmer gets to determine when and where these SQL commands occur in the source code. However, there are unavoidable circumstances when a user can force a manipulation of a database – and those opportunities are all around you.
Have you ever logged into a website? Have you ever posted a comment on a blog article or a reply in a forum thread? Ever sent a Facebook message to a friend? Typed an email in Gmail? Searched for a website on Google? Any time you see an input field on a website (username, password, search query, message box, etc.), that text is sent to the database and acted upon.
Now, if a malicious user wanted to tamper with a database, there aren’t very many choices for him. One possibility would be to gain actual physical access to the server and destroy it at its base. But otherwise, it makes the most sense for the malicious user to hijack an existing SQL command when using an input field, thus forcing the server to perform a command different from what was originally intended.
The SQL Injection Technique
This act of hijacking an existing SQL command is what SQL injection refers to. Why is it called injection? Because hijacking an SQL command requires the user to inject his own SQL code when using an input field. Does that sound confusing? Let me illustrate with an example.
Consider MakeUseOf’s login page. When you enter your username and password and hit “Submit“, you’re forcing the web server to generate an SQL command that involves the information you just gave–that is, your username and password. The database receives the information, verifies that the username/password combination is correct, then gives you the proper access to other areas of the site.
Now imagine what would happen if a malicious user didn’t enter his username and password, but instead typed an SQL command as his username? If the server code isn’t properly secured, the database will receive the faulty username (which is really an SQL command) and actually run it as a command.
And that’s why it’s called injection. The SQL command is injected into the database through entirely legitimate means, manipulating it such that it ends up doing something it wasn’t meant to do.
An Advanced Example
Up until now, I’ve described SQL injection in high-level terms so that anybody can understand–even those without programming knowledge. In this section, I’m going to give an actual example of how this technique is possible. If you’re an SQL newbie, or if you’ve never dealt with programming before, then you can quietly skip this section.
When logging into a website, here’s a possible way that the code could be written in SQL:
WHERE username=’$username’ AND password=’$password’
Basically, the command asks the database to return all user_ids from the table users_db that match the inputted username and password combination. Looks all fine and dandy, right?
Let’s suppose that the login form was given the following inputs:
Password: fubar’ OR ‘x’=’x
Notice that the password field does not begin or end with an apostrophe. When the server receives this login attempt, it will take everything given in the password field and put it in place of the $password in the code. The resulting SQL command will look like this:
WHERE username=’David’ AND password=’fubar’ OR ‘x’=’x’
When the server runs this command, the last part of that SQL command will always return true. This means that the malicious user could input any username and instantly gain access to that account because the login would work whether or not he got the password right.
Of course, logging into someone’s account is a rather mild offense when you compare it to all the other possible hack attempts: deleting entire databases, mucking up all of the data, or even stealing the data in the databases.
Professional web developers are getting better and better at preventing such tricks, but every once in a while you’ll hear that a company suffered loss at the hands of an SQL injection attack. When it happens, you now know what it means and how it’s possible.