T 5.131 SQL injection

If an application accesses the data of an SQL database, commands are transmitted to the database in the form of SQL commands. If the application is susceptible to SQL injection, an attacker may inject changed or additional SQL commands forwarded to the database by the application and processed there by manipulating the input data. This way, any SQL commands can be executed and the security mechanisms of the application may be bypassed during data access as during direct database access.

Therefore, an SQL injection may have the following effects, e.g.:

• gaining unauthorised access to data,
• creating, reading, changing, or deleting data,
• executing operating system commands,
• gaining control over the database,
• accessing further servers (e.g. HTTP-Get-Request or DNS query).

Here, the SQL command is injected thanks to an insufficient validation of the input data within the application directly integrated into a dynamic database query in this form (see also T 4.84 Inadequate validation of input and output data in web applications).

The SQL injection is a special injection attack (see T 5.174 Injection attacks) only intended against SQL databases. This way, the basic approach for injecting commands is also possible with other interpreters (e. g. LDAP injection, XML injection).