What is SQL Injection?

SQL injection is a type of computer security exploit in which an attacker can gain access to remote database systems. Using a carefully-constructed value for a form field, such as a name or email address, an attacker can fool the application into requesting data from a database which he would otherwise not have access to. SQL injection attacks are similar to XSS attacks in that the attacker is exploiting an application's regular input vectors. Also in common with XSS attacks, SQL injection attacks can be prevented by simple input filtering and validation before the data is passed on for storage or processing.

SQL injection and other similar exploits are the result of interfacing a scripting language by directly passing information through another language. In the case of SQL injection, a programming language such as PHP or Perl accesses a database via an SQL query. If data received from the end user is sent directly to the database and not properly filtered, then a malicious user could insert SQL commands as part of his input. Once executed on the database, these commands may change, erase, or expose sensitive data. More severe cases can allow remote code execution and system access. As the attacker is using the standard, trusted API for executing his attack there is little chance of the system's administrator being alerted to any wrongdoing. Especially in cases where data is merely displayed and not changed, there may be no evidence of wrongdoing other than a possible log file of the query including the SQL injection. As the original query went unfiltered, it is unlikely that the log file will be checked as there is no known cause for concern.

SQL injection is considered to be a bug in application software, not in the database being queried nor in the programming language used to interface with it. It is the programmer's responsibility to code filters and check mechanisms into any application that runs multiple levels of scripting languages. While many advanced computer programming courses provide instruction on the subject, no simple programming tutorial or guide can cover the subject in a complete manner. Therefore, many applications designed or coded by hobbyists have been found to be vulnerable to SQL injection. However, even experienced, professional programmers have been unable to cover all possible SQL injection techniques. Common software that has been found to be susceptible to SQL injection include PHPNuke, vBulletin, WordPress, WBBlog, and literally hundreds of others. Probably the most famous SQL injection incident occurred in early 2005 when the CardSystems Solutions database was discovered to be compromised. Over a quarter of a million credit cards numbers were stolen and over ten million dollars in fraudulent activity has been identified with the case.