The arrest of three hackers who stole millions of credit card numbers from stores such as 7-Eleven and Hannaford Brothers has brought attention to a longtime breach technique called SQL injection. Structured Query Language (SQL) is a database language used to retrieve and store records. SQL is a standard in website technology for dynamic content and storage of user information including credit cards. Although the media has recently brought attention to the hacker technique, SQL injection attacks have been a common method for security breaches for several years.

What is SQL?

SQL is a language used to query and insert information into a database. There are four main keywords in SQL: insert, select, delete, and update. An example of a common select statement is the following:

select first_name, last_name from customer where first_name='smith'

The above statement queries the database for a customer whose last name is 'smith.'In harmless applications, the database sends the customer's first and last name back to the website. Notice the apostrophe marks surrounding the name 'smith'. The first apostrophe tells the SQL server to expect a string, and the ending apostrophe terminates the string. Any statements following the termination apostrophe are considered valid code, and SQL will execute it. The string syntax of SQL is the point of attack for a hacker using SQL injection.

How a Hacker Performs a SQL Injection

Many website applications query a database using a technique called inline SQL. Inline SQL is SQL statements within the code of the web page rather than the database server. The programmer builds a string of SQL statements based on input from a text box on the web page. When using inline SQL, the programmer creates a string of statements like the following example:

select first_name, last_name from customer where first_name='<input from user>'

The '<input from user>'is replaced by text entered into a text box by web visitors. Instead of typing alphanumeric characters into the text box, a hacker uses a string termination apostrophe, which indicates the string has been terminated in SQL. Once the string is terminated, the hacker creates a valid SQL statement that executes. For instance, if the hacker types 'my name' select admin_password from admin_table'into the text box, the hacker essentially closes the string and creates an additional, valid statement the database will execute. It's this vulnerability that allows hackers to steal data, create admin accounts on the server, and insert backdoors for future data theft.

How to Protect Your Website

Two methods can be used by a website owner to protect the database from SQL injection. The first option is programming the code to replace every single apostrophe with a double apostrophe. Double apostrophes are literal to the SQL database, meaning it reads the character as an actual apostrophe rather than string termination.

The second option uses stored procedures. Stored procedures are chunks of code that run SQL statements on the database server. When passing a parameter that contains an apostrophe, the stored procedure reads apostrophes as literals from the variable. Stored procedures also improve performance on the database server, so there are two benefits when converting inline SQL to stored procedures.

The integrity of the database is a substantial part of website security. When running a website that contains user's information, take the necessary precautions to protect the database from SQL injection attacks. A poorly designed website with security holes for SQL injection leads to identity theft of customers and lost revenue for the owner. Implement measures that protect your database and secure your customer's information.