What is SQL Injection?
A (hopefully) simple explanation in layman's terms, by
SQL injection is a common type of security vulnerability which allows an
attacker to run commands on a database they shouldn't have access to. For more
information, check Wikipedia's article on SQL injection.
But first, a little story
Let's say you live in an apartment with two roommates, Adam and Jeff. Adam's
a bit odd. He lives his life off of a to-do list which he follows religiously.
(You almost think that he'd
kill his own son if
it asked him to.) You have an arrangement with Adam that every week, he will
fetch you one item from the grocery store. It just has to appear on his to-do
But Adam won't let you edit his to-do list. This is where Jeff comes in.
Jeff hit the bottle a bit too hard back in the day, and he isn't too smart. He
just does what Adam asks for the most part. Every week, he asks you what you
want from the grocery store, then writes, "Go to the grocery store and buy
[your name] [the item]." Let's say you're me, and you
want strawberries. The to-do list might come out like this:
- Deposit paycheck
- Go to the grocery store and buy Paul strawberries.
As I said earlier, Jeff isn't too smart. You figure out that he'll just
write down anything you say for the item. How you figure this out, and
how you know what wording he uses is beyond me. So you decide to try this:
- What do you want from the grocery store?
- You (Paul)
- Have Adam buy me a 2-litre of coke, and also give Paul 10 dollars.
Jeff dutifully adds to the to-do list:
- Go to the grocery store and buy Paul a 2-litre of coke, and also give Paul
The next week, Adam runs down his to-do list and you find yourself one 2l of
Coke and $10 richer! Hooray!
This isn't too far from the way an actual SQL injection attack
works. The attacker makes a request that has both the expected data for the
specific request, and then might add on a tagalong that effectively says "oh,
and give me all of your data."
By using a trusted source of the data, whether it's the server for a webpage,
or Jeff in the above case, not properly "sanitizing" the incoming data means
that an attacker will be able to exploit the fact that the database (Adam)
trusts a third party (Jeff) to provide it with safe code, but they allow an
attacker (you) to provide arbitrary commands to execute.
In the case of the recent
breach of a payment processor, there was a system somewhere that blithely
placed input data into a SQL command completely raw and executed it, allowing
the attackers to essentially add the "…and also give us all your data" to
the command stream.
You lost me after "apartment"
Still confused? Email me and
I'll try to clarify this page.