What is SQL Injection?

A (hopefully) simple explanation in layman's terms, by Paul Fisher

SQL injection is a common type of security vulnerability which allows an attacker to run commands on a database they shouldn't have access to. For more information, check Wikipedia's article on SQL injection.

But first, a little story

Let's say you live in an apartment with two roommates, Adam and Jeff. Adam's a bit odd. He lives his life off of a to-do list which he follows religiously. (You almost think that he'd kill his own son if it asked him to.) You have an arrangement with Adam that every week, he will fetch you one item from the grocery store. It just has to appear on his to-do list.

But Adam won't let you edit his to-do list. This is where Jeff comes in. Jeff hit the bottle a bit too hard back in the day, and he isn't too smart. He just does what Adam asks for the most part. Every week, he asks you what you want from the grocery store, then writes, "Go to the grocery store and buy [your name] [the item]." Let's say you're me, and you want strawberries. The to-do list might come out like this:

As I said earlier, Jeff isn't too smart. You figure out that he'll just write down anything you say for the item. How you figure this out, and how you know what wording he uses is beyond me. So you decide to try this:

What do you want from the grocery store?
You (Paul)
Have Adam buy me a 2-litre of coke, and also give Paul 10 dollars.

Jeff dutifully adds to the to-do list:

The next week, Adam runs down his to-do list and you find yourself one 2l of Coke and $10 richer! Hooray!

Wait, what?

This isn't too far from the way an actual SQL injection attack works. The attacker makes a request that has both the expected data for the specific request, and then might add on a tagalong that effectively says "oh, and give me all of your data."

By using a trusted source of the data, whether it's the server for a webpage, or Jeff in the above case, not properly "sanitizing" the incoming data means that an attacker will be able to exploit the fact that the database (Adam) trusts a third party (Jeff) to provide it with safe code, but they allow an attacker (you) to provide arbitrary commands to execute.

In the case of the recent breach of a payment processor, there was a system somewhere that blithely placed input data into a SQL command completely raw and executed it, allowing the attackers to essentially add the "…and also give us all your data" to the command stream.

You lost me after "apartment"

Still confused? Email me and I'll try to clarify this page.