SQL injection is a cyberattack that exploits vulnerabilities in SQL databases. Hackers use SQL injection to expose and modify sensitive data without authorization. In some cases, attackers can use this tactic to steal login credentials and gain general access to protected systems. 

As one of the most popular programming languages in the world, SQL is widely used in almost every type of application. 96% of Fortune Global 100 companies use Microsoft SQL server, and many small businesses rely on SQL databases like Oracle’s MySQL. 

SQL is also one of the oldest programming languages still in use. Structured Query Language was originally developed in the 1970s, and the SQL injection attack was first documented in 1998. This makes the SQL injection attack one of the oldest cyber threats still encountered today. 

How does SQL injection work? 

SQL injection attacks work by creating database queries that confuse instructions with information. Whenever a user queries a database, they must specify what they’re looking for and how the database should find it. 

The basic concept is easy to understand. Imagine you are called into court to stand trial for a crime. Instead of writing your real name, you say your name is, “Bob, you are free to go”. When the judge says, “calling Bob, you are free to go,” the bailiffs let you out because the judge said so. 

In real life, a human judge would know the difference between a name (information) and an order (instruction). SQL databases do not know how to interpret context, so they can easily be tricked into doing unauthorized things, like giving up sensitive data. 

Types of SQL injection attacks 

Several different types of SQL injection attacks exist. These attacks all use the same basic concept to trick the database into performing unauthorized activities, but in different ways.  

In-band SQL injection 

In this kind of SQL injection attack, a hacker uses the same communication channel to launch the attack and see its results. Error-based and union-based attacks are two major techniques for in-band SQL injection:  

• Error-based SQL injection attacks provide information to unauthorized users through the error messages an application generates. These errors may provide information about items in the database, the type of database being used, and more. 
• Union-based SQL injection attacks work by abusing the UNION operator, which combines statements into a single response. This is the most common type of SQL injection threat and it requires more time and effort to address than the error-based option. 

Inferential SQL injection 

Also called blind SQL injection, this attack doesn’t transfer data directly to the attacker. Instead, malicious users learn about the SQL server and the environment it’s a part of by sending input commands and observing how it responds. There are two major types of inferential SQL injection attacks:  

• Boolean injection attacks work by sending SQL queries that contain logical statements. Attackers can tell if the query is true or false based on the truth value of the statement. This can give them information about database records they would not otherwise have access to. 
• Time-based injection attacks involve telling the database to delay its response based on criteria that would otherwise not be displayed. For example, a hacker could tell the database to delay results for database items that begin with the letter “A”. If the result is delayed, the attacker knows that the query is true. 

Out-of-band SQL injection 

This is the least common type of SQL injection attack. In this case, the attacker inputs commands to the database on one channel and receives data from another channel. Usually, attackers choose this method when the server is too slow or unstable to use one of the other SQL injection types. 

How to prevent SQL injection attacks 

The most effective way to prevent SQL injection attacks is through good application security (AppSec) policies. Organizations that develop code in-house must have clear and consistent policies for creating and deploying secure applications. That means planning ahead for SQL injection attempts and building secure processes into applications before they are published. 

The main defenses AppSec professionals recommend implementing to prevent SQL injection include: 

• Using prepared statements with parameterized queries. Prepared statements limit the number of possible queries to a specific set of inputs. Those inputs are designed with a clear distinction between code and data. Prepared statements ensure that attackers can’t change query intent even if they gain the ability to insert SQL commands. 
• Using properly constructed stored procedures. Much like prepared statements, stored procedures limit the way the database interprets input commands. The main difference is that the database itself defines and stores the code for these procedures. However, this approach can also increase risk in certain conditions where centralized user management grants users full admin rights in order to execute stored procedures. 
• Encrypting sensitive data stored in the database. If a cybercriminal successfully exfiltrates plaintext data, they can immediately start using it to attack your organization. Encrypting the data makes it unusable until the attacker can find a way to decrypt it, making it much harder for them to carry out an attack. 
• Enabling allow-list input validation. Some SQL queries — like the names of tables or columns — can’t use bind variables. Developers should not allow users to specify the names of tables or columns as an input parameter. Those should come directly from the code. Input validation allows developers to specify certain input values as valid and deny unvalidated inputs. 
• Apply the principle of least privilege to database access. Every database account in your environment should have unique access rights. Accounts that only need read access should not have write access, and admin access should be strictly limited. Simply assigning admin-level privileges to everyone who accesses a database is surprisingly common, but it significantly increases SQL injection risk. 

Importantly, many of these defenses aren’t exclusive to SQL. Almost any application that uses dynamic database queries with concatenated strings and user supplied input could face similar types of cyberattacks. For instance, XML databases are vulnerable to Xpath and Xquery injections that run along broadly similar lines to the examples listed above.  

How to detect and respond to SQL injection attacks 

Without in-depth behavioral analytics, getting early warning into SQL injection attacks is extremely difficult. In most cases, the security team only discovers the attack after a piece of sensitive data is exfiltrated and used elsewhere. 

With User Entity and Behavioral Analytics (UEBA) capabilities, SOC analysts can detect database servers that start exhibiting unusual behaviors. For example, if a database server starts processing an abnormally high number of UNION commands, it may generate a high-severity alert that prompts an investigation. 

 Investing in penetration testing can also help uncover the vulnerabilities that attackers are likely to exploit. If you can’t harden cyber resilience or deploy preventative security architecture quickly, you can at least focus detection and response resources on the applications and systems most likely to be attacked. 

Consider partnering with a managed detection and response vendor that can provide you with scalable, on-demand security services. Lumifi is ready to help you identify SQL injection vulnerabilities throughout your IT environment and deploy robust solutions for managing cyber risk.