How to Prevent SQL Injection Attacks

Structured query language (SQL) is a type of computer language used for database management and manipulation of data. It’s rare for modern computer users to see or make SQL queries directly—the process is largely abstracted in computer user interfaces today. Instead of manually making SQL queries on a command line prompt, most operating systems have a visual filing system interface that lets important files be sorted into folders on the computer’s storage drive.

So, what are SQL queries? Here’s a quick list of some different types of SQLs:

1. Queries. Standard commands that request data, organize data files, or ask for specific information about a data file.
2. Data Manipulation Language. Commands that update/modify, add, or delete data.
3. Data Definition Language. Used for managing tables and indexes.
4. Data Control Language. Commands that grant or revoke database rights for specific users.

Why is knowing about SQL code and queries important if most users in your organization (apart from your IT guys) never really deal with them? One reason is because of the risk of SQL injection (SQLI) attacks. What is SQL injection? Here’s a quick explanation of how SQLI works and how to prevent SQL injection:

What is SQL Injection?

The basic definition of an SQL injection attack is that it’s a type of cyberattack that relies on injecting malicious SQL code to manipulate a target’s database to reveal potentially sensitive information. Depending on the attack type, this could be specific files or data on the target system/database or even information about the database’s structure.

SQL injection attacks come in several different categories, including:

1. In-Band SQLI Attacks. The most “simple” type of SQL injection, in-band SQLI attacks use the same communication method to deliver malicious SQL code and gather information. These attacks are fairly common because of how simple they are to carry out. This attack category includes error-based SQLI, where the attacker deliberately provokes error messages to learn about the structure of the database.
   
   
2. Inferential SQLI Attacks. Also called “blind” SQL injection because the attacker cannot collect information about the attack “in-band.” These attacks inject SQL code and then have the attacker observing the response/behavior of the server afterwards. For example, a time-based SQLI attack has the attacker sending an SQL query and checking how long it takes for the server to respond. Based on how long the response takes, an attacker can tell if the query returned as “true” or “false” without having to see an actual message from the database.
   
   
3. Out-of-Band SQLI Attacks. The less popular alternative to in-band or blind SQL injection. Out-of-band SQLI attacks are typically used when the attacker cannot use the same channel to both launch their attack and gather information or when the server is too slow/unstable. Here, the attacker usually gathers data via DNS or HTTP requests.

Why is SQL Injection a Danger?

What if I told you that, with a single line of SQL code, an attacker could potentially delete an entire database? A single bit of data manipulation language or data definition language could be used to delete crucial information. For example, a DROP TABLE command could be used to force a database to start deleting entire tables of data.

Alternatively, an SQLI attack could be used to obtain user names and passwords from a database—giving the attacker access to genuine user credentials that can be used for further attacks.

The damage and disruption different forms of SQL injection attacks can cause is catastrophic, and should not be underestimated. Just imagine how badly your organization’s operations would be affected if your databases were suddenly deleted or if malicious actors could freely access your payroll and/or invoice system.

How to Prevent SQL Injection Attacks

There are a few ways to stop SQL injection attacks. One of the most basic strategies is to use input validation to identify illicit user inputs and selectively ignore them. However, while a good idea, it can be hard to write code that maps out every single possible variation of both legitimate and illegitimate command inputs. At the very least, you would run a risk of numerous false positives that would negatively impact user experience and system functionality.

The more reliable solution is to use a web application firewall (WAF) to filter out SQLI traffic (and other malicious traffic) from your network. One method that web application firewalls can use to filter traffic is signal recognition—comparing incoming traffic to whitelists of “safe” signals or blacklists of “unsafe” signals to block potentially malicious SQL code.

Some web application firewall solutions can cross reference IP address data with blacklists of IP addresses that have been previously identified as malicious as well.

It can help to proactively test your network to see if your databases and applications are vulnerable to different types of SQLI attacks. By finding these vulnerabilities early, you can increase your chances of being able to fix them before someone else can exploit them.

Need help determining if your organization is vulnerable to SQL injection? Reach out to the Compuquip team for help!