Interactive Web applications have grown to become a large proportion of the Web's content. Many people nowadays use the Internet only for applications such as checking their e-mail, bank accounts, or records at their organizations, such as a student checking her grades at college. Almost all such applications require some sort of interaction with a database. For example, checking a credit card balance first involves user authentication, which requires querying a database table to ensure that the username and password entered are correct. Next, another database table is queried to retrieve the credit card balance.
Structured Query Language (SQL) is the language used for creating, querying, and updating relational databases. SELECT, UPDATE, and INSERT are examples of common SQL commands. Most of the available database management systems, such as MySQL and Oracle, use SQL as their underlying standard, and then add their own extensions. In light of SQL's importance, it is shocking to know that “2008 was the year of SQL injection attacks, according to IBM” (3). As a result, system administrators and security specialists should fully understand SQL injection attacks and their appropriate countermeasures.
What is SQL Injection?
When a user generates a Web request that requires querying a database, for example, by using HTML forms, the Web application incorporates parts of that request into an SQL query to that specific database. The response the user gets typically depends on the information provided in the request. SQL injection is the act of altering or changing the generated SQL query by unexpectedly inserting SQL code into it. To illustrate SQL injection, here is a typical example in which SQL injection can be used.
Suppose a user (John) wants to log into a particular Webpage (http://www.example.com). Usually, www.example.com will provide HTML forms for John to fill in his username and password. Typically, the Web...