We made it! Here we are with our second In Depth email. It may be a week late, but I’m sure the wait has been worth it. I hope you found last weeks’ security tip helpful - it’s easy to overlook, but is important for securing your app. This week, as promised, we’re looking into SQL Injection. I’m very excited for this one, as we’re going to do some actual attacks - not just look at theory and code. I have an interactive demo site up and running (details below), and I hope you have as much fun exploring the various attacks as I did creating them.

While working on this topic, it got me thinking about what I’m trying to achieve with this mailing list. I love the idea of producing more interactive demos to accompany these In Depth emails, so that’s something to look out for in future months1.

Now, before we begin, I need you to promise that the skills I teach you will be used for good, not evil. If you’re here to do evil, stop reading now! 🤫

SQL Injection (SQLi)

What is SQL Injection?

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

OWASP SQL Injection Overview

I like to think of SQL injection attacks modifying or hijacking a query for malicious purposes. They can happen any time the attacker is allowed to control some aspect of the query beyond what the developer is expecting.

There are two main types of SQL injection vulnerabilities: