What is SQL injection and how do I protect my application?
Solved Email & Outlook
RK
Rachel Kim
May 18, 2020
2 replies
16,480 views
Reviewed by moderators

Security review flagged our internal application as SQL injection risk and the developers assure me it is fine because the site requires login. I need to understand the vulnerability well enough to judge that answer.

What is SQL injection actually, and what does real protection look like?

Accepted Answer
Verified by David Taylor, Database Expert ยท Reviewed May 2020

Good instinct to judge for yourself, because the login answer misunderstands the vulnerability. What it actually is, in one honest example, then the protections that count:

The vulnerability is user input becoming code: an application building queries by gluing strings, a search box feeding WHERE name = '" + userInput + "', lets input containing a quote character escape the data role and continue the statement as SQL. The textbook input of a single quote followed by OR 1=1 turns a login check into a condition true for every row, and the same mechanics escalate to reading other tables, changing data or worse, limited only by what the application's database account may do. The requires login defense fails twice over: injection frequently attacks the login itself, and every authenticated user, plus every attacker holding any stolen credential, faces the same gluing code behind the login, internal applications historically being where injection lives longest precisely because that assurance kept reviews away.

Real protection is one primary discipline with supporting layers. The discipline, parameterized queries: statements written with placeholders, WHERE name = @name, the input bound as a parameter, so the database receives code and data as separate things and no content of the input can change what the statement does. Every language and framework the application could be written in supports this natively, ORMs do it by default until someone concatenates inside a raw query escape hatch and the review your developers owe you is a search of the codebase for string built SQL, each hit either converted or explained. Stored procedures inherit the protection when called with parameters and lose it the moment they build dynamic SQL by concatenation internally, sp_executesql with parameters being the safe dynamic form.

The supporting layers assume the discipline fails somewhere and cap the damage: the application's database account granted only what the application does, no sysadmin connection strings, so an injection that lands reads what the app reads rather than owning the server, errors returned to users kept generic since detailed database errors are the attacker's map, and input validation as the outer moat, valuable against many things while never sufficient alone against this one, because clever encoding slips validation while parameterization holds regardless. OWASP's injection material makes the fine reference for the review, and the one sentence version for judging your developers' answer: protection lives in how queries are built, and nowhere else.

Judged the answer as inadequate, correctly it turns out: the codebase search found eleven string built queries including the login. Ten converted this sprint, one under review, database account de-privileged the same day. The review flag was earned and this explanation let me hold the line in the meeting.