SQL Injection attacks on the rise

{ July 18th, 2008 }

This blog entry will look at SQL injection attacks and what you can do as website owner/developer to mitigate this type of attack.

What is a SQL injection Attack?

Too often developers/system administrators focus only on Operating System and Web Server application as attack vectors and ignore the code that a website uses. With more and more sites being dynamic and database driven, SQL injection attacks are on the rise. In a successful SQL injection attack, an attacker can compromise the data stored in the database, deface a website or execute remote code.

A SQL injection attack takes advantage of poor data sanitation during user input. When user data input is not validated for syntax, SQL code can be injected to a query and thereby compromising the system/website. This is illustrated on Microsoft’s website.

In the example, when user input is not sanitized during a logon page, a malicious user can input SQL commands such as “‘ Or 1=1 –”. As described on the MSDN website, by injecting the above code a malicious user can bypass the authentication mechanism.

How to mitigate SQL Injection attacks

SQL injection attacks can be mitigated by using better coding techniques that utilize input validation controls. In the above example, a malicious user was able to manipulate the input parameter by using a single quote. To mitigate this type of attack you can escape the single quotes by using a replace function to change ‘ to “. Additionally, limit the permissions granted to the database user the web application is running under.

Customers that use third party content management systems should endeavour to upgrade to the latest build and be on the lookout for any security hotfixes/updates from the vendor.
More information: