What's a SQL Injection Attack?

Millions of servers daily are attacked for the purpose of extracting vital data.

Here's some scary math: IBM tells USA Today that the enterprise service provider measures 450,000 attacks per day on its large corporate clients. How many does that mean when that is projected across the entire Internet? Millions of servers daily are attacked for the purpose of extracting vital data. But USA Today never explains exactly what a SQL injection attack is.

It's important for IT workers to understand SQL injection. Standard writer Lincoln Spector writes that operating systems (read: Microsoft Windows) have become much more bulletproof. So black-hat hackers now break into the Web applications running atop the operating system, because there are far more weaknesses to exploit there. According to Gartner, three-fourths of the Web applications vulnerabilities reported last year have still not been fixed.

SQL injection attacks work by placing commands written in the database manipulation language SQL (short for Structured Query Language) into, for example, the username field on a website's login page. Incorrect handling of the username causes it to be treated as part of a SQL command by the website's servers.

Wikipedia has several examples of SQL injection. In one, the hacker (or more likely, a program written by the hacker to attack many machines at once) fills in the username field with "a' or 't'='t'." This bit of SQL gets added to the command that looks up usernames in the database, where the programmer had assumed that only usernames would be typed.

So instead of running this SQL command:

statement = "SELECT * FROM users WHERE name = '" + userName + "';"

The Web application issues this command, which always returns a valid username because the extra clause, 't' = 't' , is always true.

statement = SELECT * FROM users WHERE name = 'a' OR 't'='t';

There are well-documented programming habits that can prevent SQL injection attacks. Or you could hire IBM, which is the unwritten point of the USA Today article. Either way, preventing SQL injection attacks is a must for stopping identity theft, the hijacking of servers to make them spambots, and the further spread of such malware.

This story, "What's a SQL Injection Attack?" was originally published by The Industry Standard.

Copyright © 2009 IDG Communications, Inc.

Survey says! Share your insights in our 19th annual State of the CIO study