404 Tech Support

SQL Injection Attacks

Anybody that will be coding publicly-accessible SQL-based web applications needs to be aware of the threat from SQL Injection attacks. SQL injection attacks are attempts made by a malicious user to gain access to the SQL back-end database and can occur from, for example, a PHP front-end.

One way for the attack to work is to input unexpected data. If it is formatted in a way that would be translated into a valid command, the attacker can interact with your database in an unintended way. This can either allow conditions to be met when they aren’t (like a successful login) or the database to be modified (dropping a table).

The Wikipedia entry for SQL Injection is quite good and a recommended reading to understand the variety of attacks that could compromise your data.

Shadowserver has a well-written article explaining how SQL Injection, Redirects, and Drive-By Downloads work with a graphic to explain it.

You can use a tool called Pixy to check over your PHP code for SQL Injection and cross-site scripting vulnerabilities by downloading the tool or pasting your code into an online version.