SQL Injection is a web app risk. This is because its really easy to do. Websites that run on a SQL database and is written poorly is succeptable to SQL Injection.

The attacks are commonly done on forms and login screens. Lets take an example of a vulernable web app. Once a form is submitted, the input data is compared to the database using a SQL query. Because the input is not screened before being used to compile the SQL command, this is where things can go wrong quickly! Take a look at this submission where the username is set to “ronald” and password set to “ishak”. This is what the SQL would look like.

SELECT id FROM users WHERE username="ronald" and password="ishak"

Now imagine we replace the username with an extention of a SQL command. If we put in the command “’); DROP ALL TABLES;” as the username, we can essentially delete the entire database! The point is, with SQL injection, an evil user can input whatever command they wish for and they can control your database!

For programmers who are new with working on SQL, it is best to make sure to check the inputs and not directly putting them into a SQL query. There are multiple ways SQL injection can be avoided and one of those is by doing the necissary string checking for special SQL characters. There are also automated software that can check an entire webapp for SQL Injection Vulnerabilities.