Despite that they've been around since 1998 and are easy to defend against, structured query language (SQL) injection attacks are still a threat to web application security today. As found in the Verizon 2020 DBIR, over 80% of breaches within Hacking involve Brute force or the Use of lost or stolen credentials as well as SQL. According to Akamai's December 2020 State of the Internet report, the financial services industry alone was hit with millions of attacks every day—if not tens of millions.
What is a SQL injection attack?
SQL injection is a way of gaining control of a web application database by manipulating how it communicates with SQL (structured query language), a widely used programming language for database management. When a website or application needs to retrieve data from its database, it uses SQL statements to process and display information to the user.
During SQL injection attacks, an attacker accesses the front end of a website or application by inserting malicious SQL statements into a database query to confuse the database and force it to perform abnormal actions. If the web application executes the unexpected input, attackers can inject SQL code into the database and read, modify, copy or destroy data.
SQL attacks are usually financially motivated, but they can also be deployed for corporate espionage, political gain or bragging rights within the hacker community.
What's at risk?
If you're hit by an SQL injection attack, your data could be lost or destroyed, or even disclosed to unauthorized parties. If an attacker takes control of your database, you might not have any access to it at all.
Many high-profile SQL injection attacks can be traced back to data confidentiality breaches, and they resulted in significant financial damage. Whether its effects are downtime, attack recovery costs, regulatory penalties or negative publicity, a successful compromise can be crippling.
The risk of compromise to a database's integrity cannot be overstated. In many cases, compromised database servers can be used as infiltration points for attacks on other third-party sites.