What is an SQL Injection?

A Structured Query Language (SQL) injection is a type of attack that is almost always attempted against a website that is database driven. It is an endeavor to insert malicious code into the SQL queries of the site in order to interfere with data management by destroying, altering or revealing data that is stored in the tables of the database that drives the site. SQL is a standard programming language employed to create, update and retrieve data that is stored in databases.

The dangers of SQL injection attacks are numerous and often very devastating when they are successfully carried out. Sensitive information such as credit card numbers, a person's medical records, usernames and passwords for accounts such as online banking and email as well as various types of identification numbers can be exposed to cybercriminals. Although the theft of data probably is the principal goal of anyone who attempts to use SQL injection, it is not the only motivation for the use of this or any other type of code injection technique, such as cross-site scripting. Visitors to a website displaying information that they don't like might attempt SQL injection attacks to disable the site, steal data or alter the data to destroy the mission of the people behind the site.

Sometimes an SQL injection attack is attempted against a website by a disgruntled visitor who might have had his or her account banned by the site owners, who envies the popularity of the site or who seeks to destroy the online business of someone he or she considers to be an enemy. Knowledge of SQL obviously is required to launch an SQL injection attack, but it is not generally considered a very difficult language to learn, compared with other programming languages, and much can be accomplished with only a basic, but solid, understanding of how to use it. This means that there are a good number of people who surf the Internet who have the necessary skill to attempt SQL injection against a website.

Web developers, particularly those who specialize in back-end web development, are responsible for ensuring that the sites they program are secure against SQL injection. There almost always is more than one way to achieve such important security, and most of those methods are considered simple but very effective solutions. For example, a developer can use the mysql_real_escape_string() function or prepared statements when scripting in the hypertext preprocessor (PHP) language. The methods chosen to guard against attack must be carefully considered, because the performance of the site as a whole cannot be disregarded even when setting up security.