6 SQL Injection (and other Injections)
This chapter covers
- How string concatenations can lead to SQL injection;
- Why arbitrary execution of commands as a result of SQL injection is dangerous;
- How SQL injection may be prevented with prepared statements;
- How using an OR (object-relational) mapper prevents SQL injection, unless you are still using SQL;
- What other types of injection attacks exist.
In early March of 2021, Ars Technica reported[1] that supposedly 70GB of data was stolen from the infamous social media platform, Gab. This data included passwords and other user data, private messages, and more. The reason: the code was vulnerable to SQL injection. This allowed an anonymous attacker to access and download this vast amount of data and to make it available to selected researchers.
6.1 Anatomy of an SQL Injection Attack
SQL stands for “Structured Query Language” and was invented in the 1970s to provide a language to communicate with a relational database to, among other things, read and write data to it. Even the creators (Donald D. Chamberlin and Raymond F. Boyce) could probably not imagine back then that their brainchild would still be in use almost 50 years later. That there would be web sites where user input will be sent to a web server where it will be put in SQL queries that will then be executed against a database was certainly far from everyone’s imagination back then.