Exploits – SQL Injection Attacks

imageSQL injection is a technique used by attackers to damage or steal data residing in databases that use SQL syntax to control information storage and retrieval. SQL injection usually involves using a mechanism such as a text field in a web form to directly pass malicious SQL to a program or script that queries a database. If the program or script does not properly validate the input, the attacker may be able to execute arbitrary database commands, such as deleting tables, altering sensitive records, or accessing other parts of the database or network. For a more in-depth explanation of SQL injection see the Security Intelligence Report (SIR) Section 3.2.

Comments (1)

  1. Kai Axford says:

    Nice post! The largest data breach in history (Heartland Payment Systems) was the result of a SQL Injection attack. I spent some time speaking with their CSO last night and he explained the amount of effort and money it took for them to recover. SQL Injection (and there are many flavors) is the result of improper form validation, essentially allowing a form field (i.e. name, password, etc.) to be used as a way to input long character strongs that include SQL commands, such as DROP TABLE. Any ANSI-99 compliant relational database is subject to this, including MySQL, Oracle, and MS SQL Server. This is a Dev issue, but the IT Pro still has to do the cleanup.