SQL Injection is still alive (and more than ever)

28 09 2011

Nowadays everyone has a website, or at least it feels that way. I have a couple myself. Every single day that goes by, several thousands of new websites are created (or at least registered) all over the world [3]. Considering the importance of the Internet in the present we can assume that most (if not all) of the “big” companies worldwide have already a presence in the Internet, therefore leaving the spot of those newborn sites to small businesses, personal pages, etc.

But when you create a website, how do you do it? Do you build it from scratch? Use a template? Or even outsource it? Whatever the case is, it is important to consider that if your website has a database you should take measures against SQL Injection.

SQL Injection is not a new term; it dates back to 1998 and sometimes is taken for granted when creating a website [7]: an issue that has allowed it to survive till present times while many other vulnerabilities have been addressed. In present times they have even been increased by the use of automated attacks [1] which require less time invested from the attacker.

Although the potential to attack websites through malicious SQL code is known and in some cases addressed, it is one of those subjects we know is there but don’t pay too much attention to. Nevertheless, it is a significant factor to be considered in modern information security. In the last few months there have been attacks of known impact to websites of large companies like MySQL.com or Nasdaq among several others known and unknown [4].

For those who don’t know much about SQL Injection, it refers to a type of security exploit that allows attackers to use SQL statements (something unexpected by the application) through the input values or parameters of websites [2]. These statements are later used to gain access to resources and from there on it is a playground for the attacker. Just consider the value of accessing the database of Nasdaq or a financial institution, the value of the information contained and the potential effects that this could have for the organization, in some cases it might even allow to get information on other linked resources.

The web hacking incident database [8] shows that in 2010 the main attack method for websites was SQL Injection with 20% of the total attacks, and related to it the main weakness was the improper handling of outputs and inputs. However, protecting a website from these attacks is not a one-step easy process, but rather a set of processes and policies determined in the software. Most of the attacks progressively gather information from erroneous queries and use the result to get another level of information and so on; therefore, a proper management of exceptions could mitigate the impacts of these queries.

SQL Injection is not a problem related to the Database Management Software or the Web Servers, it is a flaw in the code of the website. So when you built your website did you take this into consideration? If you used a template or outsourced, did the source take it into consideration? Do you know what measures should you take to protect your website?


[1]. Acohido, Byron. The rapid spread of SQL attacks. The Last Watchdog. 2009. http://lastwatchdog.com/faq-sql-injection-attacks/

[2]. Chapela, Victor. Advanced SQL Injection. OWASP. 2005.

[3]. Domain Tools. Domain Counts and Internet Statistics. 2011. http://www.domaintools.com/internet-statistics/

[4]. Grossman, Jeremiah. Recent SQL Injection Hacks – Things you should know. White Hat Security. March 2011. https://blog.whitehatsec.com/recent-sql-injection-hacks-things-you-should-know/

[5]. Kerner, Sean Michael. SQL Injection Most Dangerous Software Error. eSecurity Planet. June 2011. http://www.esecurityplanet.com/trends/article.php/3936581/SQL-Injection-Most-Dangerous-Software-Error.htm

[6]. Messmer, Ellen. 2008 was the year of the SQL injection attack: IBM. Network World. 2009. http://www.networkworld.com/news/2009/020209-sql-injection-attack.html

[7]. Litchfield, David. SQL Injection and Data Mining through Inference. 2005. www.blackhat.com/presentations/bh-europe-05/bh-eu-05-litchfield.pdf

[8]. Web hacking incident database. http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database#RealTimeStatistics