What is SQL Injection?
Top 5 Types & Examples
To keep your personal data safe from hackers, you should only share it via encrypted forms on trusted websites. However, if the owners of those websites don’t take steps to protect their database, your personal information could still be at risk. With an SQL injection consisting of just a few lines of code, any reputable website might be compromised by hackers, and your details could end up in the wrong hands.
Key takeaway: SQL injection is the insertion of malicious code in websites and web-based applications with the goal of compromising the target website and gathering user data. As the name suggests, SQL injection attacks target Structured Query Language (SQL) databases, which are considered the backbone of web hosting. Read on to learn more about the five main types of SQL injection attacks.
What Is SQL Injection?
SQL injection is the embedding of malicious code in web-based applications with the goal of attacking websites and/or harvesting user data. Hackers carry out SQL injection attacks for a variety of reasons. In addition to data breaches, they may use this technique to feed false information into the application’s database, remove important information from it, or deny database access to the owners and creators of the app. To do this, they must find and exploit some security vulnerability in the targeted app’s software.
Short for Structured Query Language, SQL is a specially designed language used to input data and modify the contents of databases. Websites and web-based applications depend on databases to store all their data and deliver their services to end-users. SQL plays a crucial role in this process because it allows users to locate specific content in the database. For example, if you’re searching for a particular product on an online store, your search term and your preferences (size, weight, etc.) will all be formatted in SQL.
As the name suggests, SQL injection attacks target these SQL databases. The hacker responsible for the attack exploits a lack of input validation filters for the so-called escape characters (e.g. backslash) to inject their own code into the system. Depending on their goals, hackers can set up the code so that each time an end-user enters a search query, they get access to their login details or a part of the database is completely destroyed. SQL injections may even be used to spread malware through infected websites.
Although easily preventable, SQL injection attacks are a major threat that has affected many reputable companies and media outlets, as well as their users. Experts estimate that more than half of all cyber attacks nowadays are carried out using SQL injection techniques. Most of them target WordPress blogs and eCommerce sites. According to 2014 statistics, a single attack costs businesses about $200,000.
What Types of SQL Injection Attacks Exist?
Based on the way they are carried out, SQL injection attacks can be organized into five main types.
- Union-Based SQL Injection
Union-based SQL injection is a type of in-band SQL injection attack that uses the UNION SQL operator to easily extract the requested information from the targeted database. The UNION operator allows the user to simultaneously draw data from multiple tables that consist of the same number of columns and identical data types. Hackers can gather the information they need by injecting a SELECT statement, but for the attack to be successful, they must know the exact table name, number of columns, and data type.
- Error-Based SQL Injection
Another type of in-band SQL injection attack, error-based SQL injection is a technique that allows hackers to leverage the error messages returned by a server to get the information about the structure of the targeted server. Hackers purposefully input invalid queries to trigger error messages. However, these messages often contain either the full query results or the information on how to improve the query to get the desired results, both of which can help hackers to successfully complete their attack.
- Time-Based Blind SQL Injection
Time-based blind SQL injection is a technique that involves the sending of a timed SQL query to the database to assess the result of the query. The query in question will force the database to wait before it returns a result, which will be either TRUE or FALSE. Based on the response time as well as the response itself, a hacker can assess if their payload is successfully sent. The main downside of this SQL injection type is its duration, seeing as the hacker must enumerate the database one character at a time.
- Boolean-Based Blind SQL Injection
Boolean-based blind SQL injection is an inferential injection technique that is very similar to time-based blind SQL injection. Namely, hackers will send one SQL query at a time in an attempt to enumerate the database. Based on the response they get, they will assess if their payload is successfully sent. However, rather than timing their queries, they will combine TRUE and FALSE expressions. As with time-based SQL injection, these attacks can be very slow, especially when a hacker is targeting a large database.
- Out-of-Band SQL Injection
Out-of-band SQL injection is a technique used by hackers to generate DNS and/or HTTP requests that would deliver data directly to them. It is sometimes used as an alternative to time-based blind SQL injection attacks, usually when dealing with slow server response times or when it’s impossible to gather data through the same channel used to launch the attack. Because their success depends on features that can only be enabled by the server administrator, out-of-band SQL injection attacks are very rare.
Examples of SQL Attacks
Over the last two decades, numerous SQL injection attacks have targeted large websites, companies, and social media platforms. Several of these attacks have resulted in major data breaches. Some of the most notable examples include the following:
- In 2008, two Russian-born hackers used SQL injection techniques to attack Heartland Payment Systems, a then-successful provider of payment processing solutions. Classified as the largest breach of credit card data at the time, the attack gave the hackers access to information about more than 150 million credit cards and cost the affected businesses more than $300 million. In 2018, the two hackers behind the attack were sentenced to a combined sentence of 16+ years.
- In 2016, a group of hackers exploited the vulnerabilities in vBulletin, popular online message board software, to target 11 game-oriented message boards, most of them in Russian. During the attack, the hackers have managed to steal login data from more than 27 million accounts.
- Also in 2016, hackers used SQL injection methods to launch a cyber attack against Qatar’s National Bank. The hackers managed to steal more than 1.4GB of data, which was then promptly leaked to the public. This data involved account information of thousands of clients, including members of the country’s ruling family, intelligence officials, controversial religious leaders, as well as several British, French, and US nationals who were labeled spies in the bank’s database.
How to Prevent SQL Injection Attacks
SQL injection attacks are easily preventable with proper website maintenance. This includes constant monitoring of SQL statements from all apps connected to the database, regular application of database updates and patches, as well as the purchase of reliable cybersecurity software to protect the database.
Because these attacks target websites using dynamic SQL, you should take steps to minimize the need for user input in constructing your queries. Whenever possible, offer users prepared statements and a list of options to choose from rather than giving them the option to enter their own query. It is also important to use input validation to avoid problems with escape characters. What’s more, make sure to enable data filtering based on context. For example, you should only allow digits for phone numbers.
In rare cases, hackers may also use SQL injection attacks to compromise otherwise trusted websites with malicious software. As soon as you visit an infected website, the malware will start downloading without your consent. Once installed, it could give hackers access to your browsing history, personal information, and even your keystrokes. To prevent this from happening, make sure to use the best antivirus software (like Norton, BitDefender, Intego or Panda) that will keep your computer and data safe from viruses, malware, and all other potential threats.
- Alert Logic
- Dummies (1)
- Dummies (2)
- E-Security Planet
- Financial Times
- Helpnet Security
- PC World
- SQL Injection
- Wikipedia (1)
- Wikipedia (2)
Founder of SoftwareLab
We are proud and humbled to have helped millions of readers since then, and hope that you will find our work useful. If we can improve our service to you, please let us know here.
Are you protected?
Hackers may use compromised websites to distribute malicious software, so you mustn’t take your online security for granted. Keep your computer, your files, and your personal information safe.