SQL injection attacks – understanding the basics

A SQL injection attack is procedure often used to attack database backed systems. This procedure is where a hacker injects parts of an SQL Query in a way that forces the database to run his statement, exploiting a security flaw in an application. This is mostly used in a harmful/malicious act, causing the database to export/dump, update, or even completely remove the contents of the database.

Example of a basic SQL string that can be exploited by a SQL injection attack.

 SELECT sqldata FROM sqltable WHERE UserEmail = ‘$email_address’;

Example of a basic SQL injection string:

 email@gmail.com’; UPDATE sqltable SET UserEmail = ‘hackers@gmail.com’ WHERE UserEmail = ‘bob@gmail.com’;

Which would be ran like this:

 SELECT sqldata FROM sqltable WHERE UserEmail = ‘email@gmail.com’; UPDATE sqltable SET UserEmail = ‘hackers@gmail.com’ WHERE UserEmail = ‘bob@gmail.com’;

As you can see the SQL injection attack is updating a users email address so to gain access to the account.