SQL Injection
Why do a developer need to know about SQL Injection?
So, what do you think sql injection might be doing?
SQL is a programming language designed for managing data stored in an RDBMS, therefore SQL can be used to access, modify and delete data. To such an extent, SQL Injection can provide an attacker with unauthorised access to sensitive data including, customer data, personally identifiable information, trade secrets, intellectual property and other sensitive information.
Furthermore, in specific cases, an RDBMS could also run commands on the operating system from an SQL statement.
What is the scenario, where an attacker can attack your website via SQL injection?
An SQL Injection needs just two conditions to exist — a relational database that uses SQL, and a user controllable input which is directly used in an SQL query.
So, please mind that two conditions, it might allow attackers to get sensitive data from your website. Keeping the above in mind, when considering the following, it’s easier to understand how lucrative a successful SQL Injection attack can be for an attacker.
- An attacker can use SQL Injection to bypass authentication or even impersonate specific users.
- One of SQL’s primary functions is to select data based on a query and output the result of that query. An SQL Injection vulnerability could allow the complete disclosure of data residing on a database server.
- Since web applications use SQL to alter data within a database, an attacker could use SQL Injection to alter data stored in a database. Altering data affects data integrity and could cause repudiation issues, for instance, issues such as voiding transactions, altering balances and other records.
- SQL is used to delete records from a database. An attacker could use an SQL Injection vulnerability to delete data from a database. Even if an appropriate backup strategy is employed, deletion of data could affect an application’s availability until the database is restored.
- Some database servers are configured (intentional or otherwise) to allow arbitrary execution of operating system commands on the database server. Given the right conditions, an attacker could use SQL Injection as the initial vector in an attack of an internal network that sits behind a firewall.
Now you can understand why developer needs to know about SQL Injection.
