SQL injection attacks: What IT pros need to know
SQL injection attacks have been around for a long time, and they remain a major security risk. This ebook explains where the dangers lie and what you can do to protect your organization from these attacks.
From the ebook:
What are SQL injection attacks?
Structured Query Language, or SQL, is a method of managing relational databases that was first conceived in the 1970s. Since then, it has become the standard in database management systems (DBMSes) and can be found in countless organizations around the world.
With the rise of internet, web applications that connected to SQL databases became commonplace, and it took no time at all for SQL injection attacks to become reality. Since first being discovered in 1998, SQLi has been the bane of almost every organization with a data-driven web app.
SQLi works, at least on the surface, in a straightforward manner: An attacker submits a malicious SQL statement in a fillable field that exploits a vulnerability in the web app’s SQL implementation.
If successful, the malicious SQL statement can dump the entire contents of a database or select data like customer records, employee ID/password combinations, or anything else the targeted database contains. SQLi can also give an attacker administrator access to a database, allowing them to delete or modify data.
Depending on the nature of the SQL database, an SQLi attack can even give an attacker access to the operating system of the machine that hosts it, which can allow the attacker to gain access to other network resources.