Written by Domenic Molinaro
Published on June 4, 2021

What is SQL injection, exactly?

SQL injection is a cyberattack that tricks a database into allowing hackers to access it. An SQL injection forces an unsecured database to execute unsafe commands by inserting malicious code into the database’s Structured Query Language (SQL), the most commonly used language for database management.

This article contains :

    Though SQL injection (SQLi) has been around for decades, it’s a persistent threat and represents two-thirds of web application attacks today. OWASP, a non-profit leader in web security awareness, puts injections at the top of its list of web application security risks.

    SQL injection vulnerability is often the result of a poorly written API (application programming interface). Web application developers sometimes struggle to see their mistakes until someone else discovers them — which is why new products are often easy prey for SQL injection zero-day attacks.

    And when they aren’t helping themselves to your data, skilled cybercriminals often sell your data to data brokers. Potentially lucrative and relatively easy to pull off with the right skills and experience, SQL hacks are a main source of income for many hacker groups.

    What does SQL stand for?

    SQL stands for structured query language and is the standard programming language used for database management. When communicating with or querying a database to request information, SQL is the language most commonly used to access that data.

    Think of a database like a web application’s warehouse. A database is full of tables, which are like boxes holding data such as customer information, items for sale, or login credentials. When you enter information into a web application, SQL lets the database process the request and return the requested information.

    SQL’s intuitive English-based syntax has made it the database management language of choice for many API programmers. If a database is a web application’s warehouse, an API is like the snazzy storefront. It’s what you’re actually interacting with when you navigate a website and submit requests through an entry or form field (such as searching for an item).

    SQL sits right behind the storefront, taking your requests and translating them into code for the database. Unfortunately, SQL’s capacity to interpret user input also makes it an easy target for hacking.

    In case you’re wondering, you can pronounce SQL as “sequel” or “S-Q-L.” Check out our crash course on other cybersecurity terms if you’re a little fuzzy.

    How is an SQL injection attack performed?

    Hackers perform an SQL injection attack through an entry field — such as a login portal, a form field, or a search bar — in a web API. By altering the entry data with a malicious snippet of code known as an exploit, a cybercriminal can trick an unsecured database into interpreting the data as a command.

    Hackers execute SQL injection attacks through website entry fields that communicate directly with APIs.Websites with unsecured entry fields can be vulnerable to SQLi attacks.

    Repeated SQL injections give hackers a good idea of a software’s degree of vulnerability. Here’s an example of how an SQL injection attack is performed:

    1. You’re trying to access your user data on a website, so you enter your username: AVGRocks17.

    2. SQL makes your entry intelligible to the database. That is, SQL turns your entry into something like: “Go find user AVGRocks17 and give me their data.” You only have to type in “AVGRocks17,” but SQL translates the request into code that tells the database what to do. It might look something like this:

    SELECT * FROM users WHERE userID = AVGRocks17;

    The asterisk above means “all details,” possibly including your real name and password.

    Instead of filtering for a specific user, an SQL injection of, say, OR 1=1 into a search bar, login portal, or other entry field can force the SQL to query the database for all details of EVERY user. How? The database receives:

    SELECT * FROM users WHERE userID = AVGRocks17 OR 1=1;

    The database interprets this as a command to look through each user’s data, and to hand all of it over if the ID matches AVGRocks17 or if 1 equals 1 — which, of course, it always does.

    SQL injections can change, insert, and delete elements from a database or lay the groundwork for a denial of service attack. Hackers can also install backdoors that give them access to a server indefinitely.

    Common SQL injection commands let hackers tamper with, steal, or destroy data; spoof or steal identities; or change database permissions. In extreme cases, an SQL injection can turn over complete control of a database to an attacker.

    How do SQL injection attacks work so easily? Well, they shouldn’t. SQL injection vulnerabilities are often the result of shoddy programming by a web developer. Companies often hire developers with little experience or know-how, and proper security also takes longer to program. Tight deadlines can lead many companies to deprioritize security.

    It’s not all human folly, however. Since the logic is so simple, SQLi attacks are easily automated. Even the best programmers are no match for an army of bots.

    Real-world SQL injection examples

    In 2008, payment processor Heartland Payment Systems was hacked via SQL injection for over $130 million in losses. The attackers stole a whopping 130 million credit card numbers in one of the biggest data breaches of credit card data in history. 

    In 2014, a hacker gang collected over 1.2 billion unique IDS and password combinations from over 420,000 websites all across the internet. The Russian hacker group used SQL injections to command databases to reveal and dump their contents.

    UK telecom giant TalkTalk came under fire in 2015 for weak web security that compromised hundreds of thousands of customers’ personal information. Even though SQL security risks were well-known at the time, the company was helpless against the attack.

    For an SQL injection example that concerns the everyday gamer, Epic Games had their forums hacked in 2016, and 800,000 user accounts were leaked. SQL injections targeted the popular online message board software vBulletin, which has become infamous for its vulnerability to SQL exploits. In general, SQL injection attacks are spreading through the gaming industry like wildfire.

    No one is safe from SQLi attacks, whether it’s a huge company, a website owner, or the average internet user. SQL’s convenience practically guarantees that SQLi will remain a widespread attack vector.

    The best way to keep your data safe is to use real-time security software that guards against phishing attacks and network intrusions. AVG AntiVirus FREE defends you against security vulnerabilities, phishing, and password leaks — as well as the full range of malware.

    Types of SQL injection

    The three main types of SQL injection are in-band SQLi, out-of-band SQLi, and inferential SQLi. An SQL injection is classified into different categories depending on how common it is, which method of attack is used, and the potential damage inflicted.

    In-band SQL injection

    In-band SQLi is the most basic type of SQL injection. With in-band SQL attacks, hackers can launch an attack and retrieve the results on the same server. In-band SQL injection is commonly used because it’s simple to perform.

    Out-of-band SQL injection

    Out-of-band SQLi attacks try to extract a database’s contents to a different server and require the database to be able to make DNS or HTTP requests. Out-of-band SQLis are less common, but also more severe.

    Inferential (blind) SQL injection

    An inferential (blind) SQL injection poses true or false statements to a database to try and infer its structure. By examining the responses received, a hacker can start to identify a database’s potential vulnerabilities.

    How to identify SQL injection vulnerabilities

    The best way to identify SQL injection vulnerabilities in your database is to test it. Here’s a look at several of the most popular SQL injection testing tools.

    • sqlmap is an open-source “penetration tester” that can scan a system for security vulnerabilities. sqlmap can dump an entire database’s contents, but this means hackers can use it as well.

    • suIP.biz is an online scanner powered by sqlmap and can test for SQL injection in popular database management systems such as MySQL, Oracle, or Microsoft SQL Server.

    • Hacker Target scans for vulnerabilities focused on blind and error-based injections against HTTP GET requests (a certain type of URL). It is also powered by sqlmap.

    • Vega scans for SQL injections and a similar type of attack called Cross-Site Scripting (XSS) injections. Open-source and user-friendly, Vega runs on Linux, macOS, and Windows.

    How to prevent SQL injection attacks

    Web developers can prevent SQL injection attacks with good coding hygiene. But there’s also plenty that you can do to protect your sensitive data against SQLi attacks.

    • Check if a website is safe before you enter your info, and monitor tech security news so you can change your password in case a website you use is breached. AVG BreachGuard can help prevent your data from getting leaked in a breach.

    • Practice strong password habits, such as using unique passwords with at least 12 characters, and store them securely with a good password manager.

    • Check if any of your accounts have been leaked as a result of an SQLi attack or another breach with Avast Hack Check. If you’ve been compromised, change your password immediately.

    Web developers and business owners can secure their databases against SQLi attacks with the tips below.

    Parameterized queries and sanitized inputs

    Preventing SQLi attacks starts with sanitized inputs — “cleaning up” the application code by setting up parameters to distinguish between entry data (legitimate info) and commands (hacker info). Proper input sanitation is such a widespread problem that an xkcd webcomic about drop-table SQL injection went viral.

    Web application firewall (WAF)

    A web application firewall (WAF) is a barrier that filters out malicious software and traffic between a web application and the internet. Web application firewalls can be tweaked to guard against different types of SQL injections and other security threats.

    Whitelisting rather than blacklisting

    Blacklisting prevents users from entering potentially troublesome characters such as equal signs, semicolons, and quotation marks. Since whitelisting approves only certain characters, it is more restrictive and has greater impact. Hackers have found creative ways to get around blacklisting, but whitelisting leaves little wiggle room.

    Data Encryption

    Data encryption keeps your data under lock and key until it gets back to you. By encrypting the data in the database, hackers can’t access the actual data unless they can unlock it.

    Use updated security software

    No matter how vigilant you might be, it’s tough to block millions of hackers trying to sneak in the door. Modern security software for businesses can patch automatically to help protect against evolving SQL injection threats.

    Protect against threats and vulnerabilities with AVG Antivirus

    There’s not much to do if your favorite website is hit by SQL injection, but you don’t have to tolerate lax security on your own devices.

    AVG’s patented security software patrols for threats 24/7. Scan your device in a snap to plug up any security holes or Wi-Fi vulnerabilities. Secure your email from snoopers and block malicious downloads, unsafe links, and phishing attempts.

    Cover online threats from any angle, whether it’s by securing your network, ejecting outdated software, or blasting malware. Try AVG AntiVirus FREE today.

    Protect your Android against threats with AVG AntiVirus

    Free install

    Protect your iPhone against threats with AVG Mobile Security

    Free install
    Domenic Molinaro