Scribd
Upload
9 views

SQL Injection

Uploaded by

cauchi13
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
9 views

SQL Injection

Uploaded by

cauchi13
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

To whom it may concern,

It has come to my attention that your company has recently been the victim of a variety of SQL
Injection attacks. Allow me to describe this common threat, and explain the best ways to go about
protecting yourself from exploit attempts like this in the future.

A SQL Injection attack is an extremely common attack against websites across the globe. It
attempts to take advantage of the fact that a common web login form passes user defined parameters to
a SQL back end. Basically, instead of inputting legitimate information, such as user name, password, or
email address, the hacker enters dummy information and SQL syntax. This SQL syntax is executed on
the SQL server like any other set of SQL commands. These SQL commands are often times used for
malicious purposes: retrieving, wiping, or deleting information from database tables. These tables
could include customer data, credit card information, or employee social security numbers.

Here is an example of a common SQL Injection attack being executed on the SQL server itself.
The user input, pulled from the login field of a web page, is defined in red.

SELECT email, password, login_id, name


FROM employees
WHERE email = ' [email protected]' ; DROP TABLE employees; -- '

In this case, a valid email address is entered first, followed by a quotation mark and semicolon
to terminate the statement. Unfortunately, SQL doesn't know where user input stops and the SQL
commands are executed. The next command that gets executed in the sequence is to drop the entire
employees table. This table includes email addresses, passwords, login ID's and user names. If there are
no measures in place to stop this from executing, this attack will, effectively, wipe an entire customer
database.

Remediation steps for a SQL Injection attack do exist, and are not difficult to employ. The first
step is for your web developers to use prepared statements instead of dynamic queries. This allows
SQL to realize that anything input from the login form is only a parameter, and not a SQL command.
Next, developers can utilize Stored Procedures, which work in much the same way prepared statements
do, but are executed from within the database itself. Another step that should be employed is the
escaping or sanitizing of user input. Limiting input to alphanumeric characters and a subset of symbols,
will not allow users to escape statements and continue to write new SQL commands.

Keep in mind, new attacks are constantly being developed by malicious hackers. This document
only covers a subset of techniques to safeguard your website and the data residing behind it.

Sincerely,

Adam Cauchi

You might also like