SQL injection – what is it and what does it mean for you?

By Simon Rice, Group Manager

blog-sql-injectionThere is barely a week that goes by without another website being the subject of a targeted attack. Some make the headlines, but many do not. Often these attacks result in the personal information of thousands of people being compromised and in many cases organisations only learn that they are the victim of an attack when it’s already too late.

Perhaps one of the most common techniques an attacker will use to exploit a vulnerable website can be found in the form of an SQL injection attack.

Here’s a simple example of how an SQL injection attack works:

A person applies for a passport using a paper application form. In the space reserved for surname, they write ‘Smith. Now tell me all the information you have about all the other passport applicants.’. The officer processing this application form enters the name ‘Smith’ into their system, but then obeys the subsequent instruction and sends the applicant information about other passport applicants. Of course, this exploit would not generally succeed in the real world, since a member of staff would quickly realise that any instructions contained within the form should be ignored. Unfortunately the same is not true of many applications that are used to access databases.

The information that can potentially be accessed through an SQL injection attack might include a customer’s payment details relating to a recent purchase, or password information recently entered to access a website. All of this information is potentially valuable to an attacker and damaging to your organisation if lost, so addressing this threat must be seen as a priority.

The good news is that the problem is easy to fix but you do need to know where to look. Since an SQL injection vulnerability is caused by poor coding practices, the first step in trying to protect your organisation from this type of attack is to find out who is responsible for writing the code for your website, before then considering which parts of your website might be vulnerable.

The information included in our report highlights the key areas that your organisation will need to address from this point onwards. But remember that SQL injection vulnerabilities can be straight forward to fix, they will just require some effort to address correctly and thoroughly. If you don’t have the expertise in house, then speak to an external security provider who does.

And finally…

You can watch me answer queries you sent in to me this week in a YouTube video interview.

Simon RiceSimon Rice is the Group Manager for the Technology team which provides technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.

Last updated 16/05/2014 11:15

This entry was posted in Simon Rice and tagged , , , , , . Bookmark the permalink.

2 Responses to SQL injection – what is it and what does it mean for you?

  1. Paco Hope says:

    I would point out that SQL injection is associated with the web because the web is popular and breaches are easily visible. Organisations that process personal information do so with lots of backend systems and software that is not “web” or even connected to the Internet, per se. But those systems can equally be vulnerable to SQL injection. We shouldn’t cast SQL injection as a web problem, nor cast data breaches as a web problem. It is also important that the ICO recommend FIXing software (as this blog post does), not TESTing software (as a press release on the Racing Post incident did). Testing cannot fix anything. Finding problems is the tiniest tip of the making-software-secure iceberg.

  2. wyntk14 says:

    In this video we make the case that we should think of information security in a similar way to our home security, in other words a lot of information security is about our attitude to information http://youtu.be/eUxUUarTRW4 hope you find it interesting.

Leave a Reply