OWASP states an “SQL injection attack consists of insertion or “injection” of an SQL query via the input data from the client to the application”.
What does this actually mean?
SQL injection is the process of exploiting interfaces that read input from the user and directly interact with an SQL database.
The attacker tries to craft a payload consisting of a custom SQL statement fragment as an input.
The exploitation happens when the input interface does not have any mechanism to clean the input before sending it to the database.
A successful SQL injection attack can result in disclosure of sensitive data, and some cases can even destroy the database completely (e.g. dropping tables).
How can we protect ourselves?
The best way to guard against such an attack is to put an intermediate layer between the input interface and the database.
We can do this by:
using parameterised queries,
using stored procedures, or
scanning user input for any escape characters.
We shall see how to do this when we fix BuggyTheApp. First though we shall see how Fortify can find the SQL injection vulnerability in Buggy.
© University of Southampton 2017