Testing your defences against SQL injection

So-called SQL injection (SQLi) attacks can be used to delete, modify or retrieve information from the database, and even execute commands on the underlying operating system. Discover how to prevent SQLi on your network.
Testing your defences against SQL injectionWebsites that serve content in response to user input are generally database-driven. By entering search terms, logging in, clicking options and filters and other user interface methods, the user is interacting with the underlying database, the server.

Structured Query Language (SQL) is the standard method of accessing data in most databases. SQL queries are generated by the website, passed to the database and executed to retrieve or modify the information that it holds.

However, if user input is not appropriately validated, it may be possible for an attacker to ‘inject’ raw SQL statements as part of a malicious input, and for these to be executed by the database.

So-called SQL injection (SQLi) attacks can be used to delete, modify or retrieve information from the database, and even execute commands on the underlying operating system. The most common SQLi attacks result in an attacker gaining access to and ‘dumping’ large amounts of data in the database that they should not have been able to access...
 
top
BAE Systems, Threat Research Team 13 January 2016