What is SQL Injection? - Example & Prevention

Instructor: Sudha Aravindan

Sudha has a Doctor of Education Degree and is currently working as a Information Technology Specialist.

In this lesson we will learn about SQL injection and how it is used by hackers to retrieve secure data. We will also discuss real life example and how SQL injection can be prevented.

SQL Injection

A relational database is a database where data is stored in the form of tables, records and columns, and data is recognized through relationships between the tables in the database. SQL or Structured Query Language is the language which is used to 'talk' to a database. SQL queries can be used to retrieve data, search data, and even delete entire tables and databases.

SQL injection happens when a web application that has a relational database at the back end, uses data entered into fields as part of a SQL query, and the query gets executed without a comprehensive error checking process. SQL Injection is commonly used by hackers to retrieve secure information from databases.

For example, when you login to your online bank account using your user name and password, you are presented with text boxes to enter your user credentials. Users would simply enter the required information and proceed to login to and access their account. But suppose, someone with a malicious intent creates an account with the bank and tries to retrieve unauthorized information by typing in SQL code into the text boxes provided for the login credentials. If the web application has not been validated for security and allows for unexpected code to be entered and executed then we have a situation of an SQL Injection. The hacker now has full access to the database and its contents can be retrieved by typing in any SQL code that the application will inadvertently execute and return successful results.

Conditions of SQL Injection

SQL Injection happens because of security vulnerabilities in the software used to create the web application. The web application which is not secure allows untrusted code to be entered into text fields which successfully executes untrusted SQL queries. In this case the error is on the part of the software application for allowing the code to be executed without proper validation. The hacker, who is well versed in SQL can then input fragments of SQL queries with the malicious intent of accessing secure data from the database. A SQL injection requires just 2 conditions:

  1. A database backend which can be controlled through SQL queries.
  2. User input that is used in a SQL query.

Examples of SQL Injection

There are many ways in which hackers try to exploit the potential vulnerabilities of a web based application. Some methods by which attackers use to exploit a database using SQL Injection include:

  • Successful attempt to login to a web application without a valid password
  • Unauthorized creation, deletion and manipulation of database records
  • Successfully extracting a large number of unauthorized records from a database when only one row is expected

Some real life examples of SQL Injection include:

  1. The Panama Papers - Millions of files and thousands of tera bytes of data were stolen from a law firm and made available to the world media. Here a Drupal web portal was attacked with SQL injection code.
  2. Personal information of registered voters in the Philippines was leaked online - data was queried from a MySQL database, and biometric and statistical information was accessed.
  3. Data on Qatari royal family, government officials and journalists was leaked - data was stolen from the Oracle database and leaked credentials were used to access bank accounts.

SQL Injection using always true

An account holder types in the user name and password to login to a banking website. There are 2 text boxes provided for the user to type in their name and password. Behind the scenes, the query looks like this:

SELECT name, pwd, account-number
FROM user-table
WHERE name = ? and pwd = ?;

When the user pushes the enter key the query executes and the user sees his account information displayed on the site.

One of the ways an attacker modifies the query is by entering in one of the fields the text 'or 1=1'. Then the backend query will look as follows:

SELECT name, pwd, account-number
FROM user-table
WHERE name = ? and pwd = ? or 1 = 1;

In this case since 1=1 will be always true, the attacker will now have information to all of the names, passwords and account numbers from the database and not just the information matching that of the logged in user.

In this case one of the validation methods should be that any criteria that evaluates to always true should not be allowed to be added as part of the query.

To unlock this lesson you must be a Study.com Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use Study.com

Become a Study.com member and start learning now.
Become a Member  Back
What teachers are saying about Study.com
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account