English
Contact Us

The Platform

Solutions

Customers

Partners

Blog

More

Start the Democaret-right

Contact Uscaret-right
caret-left Back

Reveal(x)

The industry's only network detection
and
response platform that delivers the
360-degree
visibility needed to
uncover the cybertruth.

Deployment Model

SaaS-Based Solution >

On-Premises Solution >

Security

Network Detection and Response >

Intrusion Detection System >

Forensics >

Performance

Network Performance Monitoring >

Forensics >
caret-left Back

Solutions

Learn More

Use Cases

Explore By Industry Vertical
caret-left Back

Customers

Customer resources, training,
case studies, and more.

Learn More

Customer Community

Cybersecurity Services

ExtraHop Support
caret-left Back

Partners

Partner resources and information about our channel and technology partners.

Learn More

Work With Us! Become a Partner

Integrations and Automations

Partners
caret-left Back

Blog

Learn More
caret-left Back

About Us

Events & Newsroom

Careers

Resources

caret-left Back

About Us

See what sets ExtraHop apart, from our innovative approach to our corporate culture.

Learn More

Contact Us

caret-left Back

Events & Newsroom

Get the latest news and information.

Learn More

Sign Up for a Live Attack Simulation

Upcoming Webinars and Events

caret-left Back

Careers

We believe in what we're doing. Are you ready to join us?

Learn More

Careers at ExtraHop

Search Openings

Connect on LinkedIn

caret-left Back

Resources

Find white papers, reports, datasheets, and more by exploring our full resource archive.

All Resources

Customer Stories & Case Studies

Ransomware Attacks in 2021: A Retrospective

Cyberattack Glossary

Network Protocols Glossary

Documentation

Firmware

Training Videos

SQL Injection (SQLi) Attacks: Definition, Examples, and Prevention

Risk Factors

Likelihood

Complexity

Business Impact

SQL Injection (SQLi) Attack

What Is SQL Injection (SQLi)?

A SQL injection is a common hacking technique which can compromise a database. By "injecting" an SQL command or code fragment into a legitimate data entry field (like a password field), attackers can use SQL to communicate directly with a database. This works because SQL does not differentiate between the control and data planes.

A successful exploit can trick the database into sharing restricted data, modify data, execute administration operations on the database (like shutting down a DBMS such as Db2), recover the content of a given file present on the DBMS file system, and even issue commands to the operating system.

SQLi is a type of code injection attack.

Examples of SQL Injection Attacks

In-Band SQLi

An attacker uses the same communication channel, such as a database error or UNION SQL operator, to both launch an attack and collect results.

Inferential (Blind) SQLi

By sending payloads to a server, an attacker can observe a web application's response and reconstruct the database based on the server's behavior.

Out-of-Band SQLi

An attacker can extract data from an outbound DNS or HTTP protocol. This type of attack is typically used when attackers are unable to access a database for an in-band SQLi attack.

Protection Against SQLi Attacks

Here are some ways to protect against SQL injection attacks:

  1. Use parameterized queries, validate user-submitted input, and use stored procedures
  2. Avoid dynamic SQL
  3. Block known malicious input
  4. Sanitize inputs

Limiting the ways that queries are made to the database can close loopholes that attackers use. Stored procedures combat SQL injection attacks by limiting the types of statements that can affect the database.

One approach is to enforce strict input validation by only accepting characters from a list of safe values (also known as whitelisting). Another approach rejects any input that matches a list of potentially malicious values (also called blacklisting).

Blocking everything except approved entries can be very effective, but is difficult to implement and requires continual maintenance. Attempting to block malicious inputs is generally seen as an ineffective technique because there are many ways to fool the filters looking for malicious code. For example, attackers can:

  • Use upper and lowercase letters to bypass case-sensitive filters
  • Use the escape character to bypass filters
  • Use different types of encoding to avoid detection

These are just a few examples of the many methods used to try and bypass these types of defenses.

Detection of this attack can be enhanced using decryption. This is because SQL Injection attacks usually originate from HTTPs over port 443 with encryption protocols such as TLS. Additionally decrypted SQL traffic can be used for detection of SQL injection style attacks. For that reason, it's critical that security tools have decryption capabilities for all common encryption protocols including TLS 1.3 and Kerberos.

SQL Injection History

Jeff Forristal, under the alias Rain Forrest Puppy, is credited with being the first to document SQL injection with his posts in Phrack Magazine in December of 1998. At the time, he was writing about how to hack into Windows NT servers when he discovered that inputting certain commands could force a server to give up information shared on it. Fifteen years after its initial disclosure, SQLi remains among the top vulnerabilities.

Related Reading

SQL Injection Attacks: What Are They & Detection

Learn More