How to prevent SQL injection attacks

17/02/2025

How to prevent SQL injection attacks

By Graciela Martínez and Guillermo PereyraLACNIC CSIRT

SQL injection attacks are a very popular web hacking technique. Known as SQLi, these attacks occur when one or more valid SQL statements are “injected” into an input field to be processed by an underlying database. 

Structured Query Language (SQL) is a command-and-control language for relational databases.

How is an SQL injection attack performed?

An attack occurs when an application accepts data from unreliable sources — data that has been modified to be interpreted as code — and does not perform a proper validation before using the data to perform a dynamic query on the database. 

Attack vectors

When designing an application, it is important to keep in mind that any user-entered data can be modified arbitrarily.

Attacks on web applications are usually performed by modifying parameters in the URL, using the HTTP GET method or, as we will see in the examples below, modifying any type of data input with the HTTP POST method. Depending on how the web application is designed, this vulnerability can be exploited either by modifying HTTP headers such as User Agent, cookies, referrer, or the system’s own headers.

Other potential attack vectors should also be considered, for example, bar code readers, QR readers, or video cameras with text recognition.

(Free access, no subscription required)

It is important to note that attackers may be either external or members of the affected organization.

What are the possible consequences of an SQL injection attack?

Any unwanted action executed on a database as a result of an SQLi attack can affect one or more information security pillars. 

A successful attack can allow the attacker to perform different actions that affect the confidentiality, integrity, and/or availability of the information contained in the database.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of LACNIC.

Subscribe
Notify of

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments