How to Prevent SQL Injection Attacks

Instructor: Lyna Griffin

Lyna has tutored undergraduate Information Management Systems and Database Development. She has a Bachelor's degree in Electrical Engineering and a Masters degree in Information Technology.

In the lesson, we will look at SQL and explain SQL injection attacks. We will then examine the different methods and tools web application developers can use to prevent them.

What is an SQL Injection Attack?

SQL stands for Structured Query Language. It is the standard programming language for developing relational databases. It a command and control language used in the creating, modifying, deleting, and retrieving the data and structures that comprise the relational database system. An SQL injection attack involves the exploitation of the weaknesses in programming codes governing web input forms which allow access to the database, resources, and applications of the system. Data is not just stolen or manipulated, but the system can suffer malware attacks and interface modifications.

SQL Injection: How It Occurs

Relational databases applications consist of two parts, the front-end and the back-end of the application. All the requests and behavior patterns are at the front end, accessible by the user. They are facilitated by the data and data structures in the database at the back end. SQL injections exploit the weakness of a dynamic SQL statement. Dynamic SQL statements are executed at run-time and used to pass input parameters, such as a username and password, to the database. So, intruders target weakly coded input forms.

Usually, because users can be erroneous when inputting form data, the underlying codes governing the input forms are backed with authentication programming techniques to eliminate errors input by the user before the requests are sent to the database for processing. This process of authentication is also known as cleaning the data. So, where there are poor coding techniques with weak input authentication backing there is a vulnerability that is open to an SQL injection.

SQL Injection: Prevention

No web-application is 100% secure and SQL injection vulnerabilities are just one parameter that make web applications fall short. There are numerous instruments and techniques a web application developer can employ to make their applications and data much safer.

Data Sanitizations

This is the process of ensuring that all inputs on an input form have their data authenticated or checked for errors before the request is processed. An example of this is an input field that is supposed to be exclusively numerical needing an authentication rule that prevents any other input that is not numerical.


A firewall is hardware/software mechanism that is used in a networked environment to control incoming and outgoing network traffic. Good firewalls will pick up most dangerous web requests. For example, if an input form requests sources that are tied to a relevant table, then a breach using this medium will be picked by the firewall.

Restrict Database Privileges

User access privileges are used to determine the degree and level of access a user has to data resources and infrastructure within the database application. System administrators should ensure that users have just enough privileges to carry out the tasks they need to get done. Login attempts without recognized credentials can be blocked and the application saved from the consequences of a severe breach.

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it now
Create an account to start this course today
Used by over 30 million students worldwide
Create an account