What is SQL Injection:
If a website has an input box or entry form (like when you’re entering your username and password or your credit card number if you’re buying something), then an attacker can try inserting structured query language code to gain access to or make changes to the stored data.
What makes protection a challenge:
SQL injection exploits a trust between the web application and its database to let the attacker do pretty much whatever it wants with the database. If all you can think of is “delete data,” then you’re underestimating the depths a criminal can stoop to. Besides adding, removing, and changing data, and in addition to stealing info like client credit card numbers, personal data, and health records, there’s also the possibility of inserting malicious code to be passed back to users when they use the form, instead of the data they’re looking for. Once criminals start using that tactic, they can abuse popular websites to do their dirty work for them like distributing drive-by downloads, building a botnet army, even hijacking DNS requests to send visitors to malicious versions of legitimate websites they know and trust. If the login form is vulnerable, SQL injection can even help with password cracking by bypassing the login altogether. Any place where a user can input information into a website with a database, it has the potential to be SQL injectable, which unfortunately makes it a widespread problem. You can’t just remove all user-input interactions from your website and still get any purchases or feedback.
Want to discuss it further, contact us today!
COMMON SECURITY THREATS SERIES
Learn about other security threats you might be up against: