What is SQL and SQL Injection?

Some news items the other day mentioned SQL Injection being a possible cause of the TalkTalk attack, they could be right so don’t let it happen to you!

Today’s article is just about “What is SQL” and “What is SQL Injection”, we’ll investigate how to mitigate SQL Injection attacks in my next article in this series.

SQL (Structured Query Language) is a programming language for managing data in a database such as SQL Server, MySQL, Sybase and the likes.

I’ll show you an example SQL command which is coded in a programming language such as PHP or ASP.NET, and others.
SELECT * FROM Customers WHERE email = ‘me@pfi-security.co.uk’;
1 record is returned, the asterisk signifies that all fields are to be returned from that one record, just like one row in Excel.

SQL Injection is when malicious code is inserted into a form on your website; in reality the form would not be used but a script written which simulates the form being submitted, perhaps using the Tor network for anonymity.
Sign-in to a service usually requires an email address, in my case me@pfi-security.co.uk would be entered on the web page, let’s assume that me@pfi-security.co.uk is passed to a variable called $email, in PHP $ signifies a variable, in our case it is named email and looks like $email.

This $email variable is now passed to the SQL statement which is where the trouble begins.

SELECT * FROM Customers WHERE email = ‘$email’ which is read as,
SELECT * FROM Customers WHERE email = ‘me@pfi-security.co.uk’;

The first step for an attacker is an information gathering exercise, this might be in the form of a simple SQL string so imagine this.

If sometext’ OR ‘x’=’x is entered as the email address then the SQL statement becomes.
SELECT * FROM Customers WHERE email = ‘sometext’ OR ‘x’=’x’;

I’ve ran a similar query on a country database table to show you the logic really does work.

The attacker may next run scripts from the lost password web page, their main aim is in getting the database field names, table names, querying for weak passwords, getting access to existing accounts or force database errors to get more implicit database information to help them on their way to being richer.

What can be done to prevent attackers getting richer?

In my next article we’ll look at methods to mitigate the risk of SQL injection breaches.