SQL injection

SQL injection is an exploit that takes advantage of database query software that doesn’t thoroughly test for correct queries.

Cyber criminals use SQL injection along with cross-site scripting (XSS) and malware to break into websites and extract data or embed malicious code.

SQL injection sends commands via a web server linked to an SQL database. If the server is not correctly designed and hardened, it might treat data entered in a form field (such as username) as a command to be executed on the database server. For example, an attacker might enter a command string designed to output the entire contents of the database such as customer records and payment information.

Web application scans can help detect this style of attack with an advanced system of "patterns" designed to detect SQL commands transmitted to the web server. As with any pattern-based system, to offer the best possible protection the patterns must be updated to counter new and creative ways of embedding SQL injection commands. Regular web application scans can help detect SQL vulnerabilities and provide recommendations on how to fix them.

Back to Security Threats A-Z

Back to Threatsaurus Home

download Threatsaurus: A-Z of Threats
Download now