SQL Injection Attacks (SQLi)

The most common attack goal of an SQL injection attack is to extract data in bulk from the database. It could also potentially be used to modify or delete data, execute arbitrary commands, or launch DoS attacks.

The main idea is that the attacker sends malicious SQL commands to the database server, exploiting the behaviour of the web page interface.

The typical method is to permaturely terminate a text string within the input, and append a new command. The assumption is that the webpage will construct the query to the database by simply concatenating each part of the command with the user's input.

An SQL injection attack can come from many avenues:

• User input
• Server variables
• Second-order injection
• Cookies
• Physical user input