SQL injection | EPFL Graph Search

Are you an EPFL student looking for a semester project?

Work with us on data science and visualisation projects, and deploy your project as an app on top of GraphSearch.

In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. Document-oriented NoSQL databases can also be affected by this security vulnerability. In a 2012 study, it was observed that the average web application received four attack campaigns per month, and retailers received twice as many attacks as other industries. The first public discussions of SQL injection started appearing around 1998; for example, a 1998 article in Phrack Magazine. SQL injection (SQLI) was considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security Project. In 2013, SQLI was rated the number one attack on the OWASP top ten. There are four main sub-classes of SQL injection: Classic SQLI Blind or Inference SQL injection Database management system-specific SQLI Compounded SQLI SQL injection + insufficient authentication SQL injection + DDoS attacks SQL injection + DNS hijacking SQL injection + XSS The Storm Worm is one representation of Compounded SQLI. This classification represents the state of SQLI, respecting its evolution until 2010—further refinement is underway.

About this result

This page is automatically generated and may contain information that is not correct, complete, up-to-date, or relevant to your search query. The same applies to every other page on this website. Please make sure to verify the information with EPFL's official sources.

Related publications (2)

Related concepts (16)

Related courses (5)

Related lectures (46)

AFM Based Single Cell Microinjection

Joanna Katarzyna Bitterli

The development of atomic force microscopy (AFM) has enabled a major breakthrough in the study of individual biological objects, such as nucleic acids, proteins and protein complexes. More recently th

EPFL2012

Un espace de consommation de stupéfiants dans la ville de Lausanne

Marco Neri

Les locaux d'injection sont des centres légalement approuvés, sous supervision médicale, où l'on permet aux consommateurs de drogues intraveineuses de s'injecter dans un environnement protégé, hygiéni

2009

CS-412: Software security

This course focuses on software security fundamentals, secure coding guidelines and principles, and advanced software security concepts. Students learn to assess and understand threats, learn how to d

CS-725: Topics in Language-based Software Security

Memory corruption and type safety flaws dominate the threat landscape. We will approach current research from three dimensions: sanitization (finding flaws through runtime monitors); fuzzing (testing

COM-301: Computer security

This is an introductory course to computer security and privacy. Its goal is to provide students with means to reason about security and privacy problems, and provide them with tools to confront them.

Vulnerability (computing)

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.

Security hacker

A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or evaluation of a system weaknesses to assist in formulating defenses against potential hackers. Longstanding controversy surrounds the meaning of the term "hacker.

Code injection

Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program and change the course of execution. The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate. Code injection vulnerabilities occur when an application sends untrusted data to an interpreter.

Security and Privacy Challenges in IoT Era MOOC: IoT Systems and Industrial Applications with Design Thinking

Discusses security challenges in IoT, covering bug injection, code hardening, and testing techniques.

DDL, DML, Views MOOC: Introduction to Geographic Information Systems (part 1)

Covers SQL data definition, manipulation, and views in databases.

Software Security: Memory Safety and Execution Attacks COM-301: Computer security

Covers memory safety, execution attacks, vulnerabilities, and defense mechanisms in software security.