SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application's database server (also commonly referred to as a Relational Database Management System – RDBMS).

1. SQL INJECTION:
SQL Injection (SQLi) refers to an injection attack where an attacker can execute malicious
SQL statements to a Web form input box to gain access to resources or make changes to data. SQLi
is dangerous to perform because there may be a chance of database destruction.
The risk of SQL injection exploits is on the rise because of automated tools. In the past, the danger
was somewhat limited because an exploit had to be carried out manually: an attacker had to actually
type their SQL statement into a text box. However, automated SQL injection programs are now
available, and as a result, both the likelihood and the potential damage of an exploit has increased
enormously.
Since SQL statements are text only, it is easy, with a little piece of computer code, to dynamically
change SQL statements to provide the user with selected data:
StoreId = getRequestString("MerchantId");
Query_txt = "SELECT * FROM Stores WHERE MerchantId = " + StoreId;
How SQL Injection works
In order to run malicious SQL queries against a database server, an attacker must first find
an input within the web application that is included inside of an SQL query.
In order for an SQL Injection attack to take place, the vulnerable website needs to directly include
user input within an SQL statement. An attacker can then insert a payload that will be included as
part of the SQL query and run against the database server.
The following server-side pseudo-code is used to authenticate users to the web application.
# Define POST variables
uname = request.POST['username']
passwd = request.POST['password']
# SQL query vulnerable to SQLi
sql = “SELECT id FROM users WHERE username=’” + uname + “’AND password=’” + passwd +
“’”
# Execute the SQL statement
database.execute(sql)
The above script is vulnerable to SQL Injection because an attacker could submit malicious input in
such a way that would alter the SQL statement being executed by the database server.
A simple example of an SQL Injection payload could be something as simple as setting the
password field to password’ OR 1=1.
SELECT id FROM users WHERE username=’username’AND password=’password’ OR 1=1’
This would result in the following SQL query being run against the database server.
The first public discussions of SQL injection started appearing around 1998, SQL injection (SQLI)
is considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web
Application Security Project. In 2013, SQLI was rated the number one attack on the OWASP top
ten.

2. Types of SQL injection
* Tautology-based SQL Injection
* Piggy-backed Queries / Statement Injection
* Union Query
* Illegal/Logically Incorrect Queries
* Inference
* Stored Procedure Injection
Protection in SQL injection
Primary Defenses:
• Option #1: Use of Prepared Statements (Parameterized Queries)
String custname = request.getParameter("customerName"); // This should REALLY be validated
// perform input validation to detect attacks
String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );
• Option #2: Use of Stored Procedures
String custname = request.getParameter("customerName"); // This should REALLY be validated
try {
CallableStatement cs = connection.prepareCall("{call sp_getAccountBalance(?)}");
cs.setString(1, custname);
ResultSet results = cs.executeQuery();
// … result set handling
} catch (SQLException se) {
// … logging and error handling
}
• Option #3: Escaping all User Supplied Input
String query = "SELECT user_id FROM user_data WHERE user_name = '" +
req.getParameter("userID") + "' and user_password = '" + req.getParameter("pwd") +"'";
try {
Statement statement = connection.createStatement( … );
ResultSet results = statement.executeQuery( query ); }
Additional Defenses:
• Also Enforce: Least Privilege
• Also Perform: White List Input Validation