SQL Injection Attack

What is SQL Injection?

SQL Injection is a code injection technique that attackers might use to manipulate the SQL query and do perform some operations in the database which they are not authorized to perform normally as a user

Example of a SQL Injection attack

An attacker might be able to retrieve additional information from a query by modifying it. For example, we have a query that fetches the orders based on status and user.

SELECT * FROM order WHERE status = ‘CONFIRMED’ AND user_id = ‘f71e92b4–3188–412b-929c-f68b6e969353’

An attacker might modify the query by passing the value of status = ‘ OR 1 = 1 -- . Which will effectively make this query :-

SELECT * FROM order WHERE status = ‘’ OR 1 = 1--' AND user_id = ‘f71e92b4–3188–412b-929c-f68b6e969353’

This query will return all the orders present in the table and the reason for that is -- is comment indicator in SQL. Once the query encounters this, the rest of the SQL query will be considered as a comment.

What are the consequences of a SQL Injection attack?

  1. An attacker might be able to access some information from the table that he/she is not authorized to.
  2. An attacker might modify or delete the data from the database.
  3. An attacker might be able to log into a more privileged user account.

How to prevent SQL Injection attacks?

You can prevent SQL Injection attacks by using the placeholders or named place holders like this :-

Placeholder :-

connection.query("SELECT * FROM orders WHERE status= ? AND user_id = ?",[
orderStatus,
userId
], (error, results) => {
...
});

Named placeholder :-

connection.query("SELECT * FROM orders WHERE status = :status AND user_id = :userId",{
status: orderStatus,
userId: userId
}, (error, results) => {
...
});

Note :- Content of this blog is based on my understanding of this topic. But you as reader feel that there is something wrong in this post or something can be explained in more detail, please feel free to comment and let me know. I would be looking forward to learn from you. Thanks !

Photo Credits :- https://www.pexels.com/@soumil-kumar-4325

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store