Introduction to SQL Injections

Welcome to this overview on SQL injection attacks—one of the most common and dangerous security vulnerabilities in web applications. Imagine handing a user a blank check, allowing them to fill in any instructions they want for your database. If you're not careful with how you process user inputs, you're essentially doing just that!

By the end of this reading, you will understand:

What SQL injections are
How they can occur and affect your application
Why vulnerable code can lead to catastrophic results

Injections into Queries

Let’s consider a simple scenario: your server receives user input and appends it directly into a SQL query. For instance, to search for bookmarks in an app:

app.get('/bookmarks', (req, res) => {
  // userInput is sent from the request (e.g., req.body)
  let userInput = req.body.userInput;

  let query = `SELECT * FROM Bookmarks WHERE title = ${userInput}`;
  
  // Then the query is executed...
});

This code seems harmless at first. But consider a malicious user who supplies:

"'Week 1 Notes'; DROP TABLE Bookmarks"

Suddenly, your query might become:

SELECT * FROM Bookmarks WHERE title = 'Week 1 Notes'; DROP TABLE Bookmarks

The second statement DROP TABLE Bookmarks could delete your entire table. This is a classic example of a SQL injection attack—where dynamic SQL is manipulated to perform unintended actions.

Original XKCD “Exploits of a Mom”: https://imgs.xkcd.com/comics/exploits_of_a_mom.png

What Makes Your Application Vulnerable

The vulnerability arises whenever raw user input (like a search term, username, or password) is concatenated directly into a SQL statement. Hackers can then insert extra SQL tokens (like OR 1=1 or DROP TABLE) to hijack your queries.

Here’s another scenario: a login endpoint that uses user-supplied username and password in a query:

app.get('/login', (req, res) => {
  let username = req.body.username; 
    // e.g. "'spiderman' OR (1=1"
  let password = req.body.password;
    // e.g. "'Your database is fried')"

  let query = `SELECT * FROM Users WHERE username = ${username} AND password = ${password}`;
  
  // e.g. "SELECT * FROM Users 
  //       WHERE username = 'spiderman' OR (1=1) 
  //       AND password = 'Your database is fried');"
  
  // Execute query...
});

A malicious user could effectively bypass authentication by crafting an input like: 'spiderman' OR (1=1, letting them log in as any user or even expose data about every account.

Risks and Impact

If successful, SQL injections can:

Delete tables or entire databases
Modify data (insert fake rows, change user permissions)
Retrieve sensitive information (user passwords, credit card numbers)
Potentially escalate privileges on the database server

Essentially, an attacker gains unauthorized read/write capabilities by injecting extra queries into your SQL statements.

Preventing SQL Injection

You’ll explore protective measures in more detail later. Generally, the key strategies include:

Parameterized Queries / Prepared Statements: Instead of building a string with + userInput, you use placeholders (like ? in SQL or $1 in Postgres) and pass the user data separately.
Validating / Sanitizing Inputs: Making sure the user data doesn’t contain disallowed SQL tokens or weird characters that can break queries.
Least Privilege / Permission Model: Ensuring your DB user doesn’t have the ability to drop tables if it doesn’t need to.

Recap

SQL injections are attacks where a user input manipulates your SQL query to perform malicious actions—like deleting tables or viewing confidential data. They happen when you directly interpolate user strings into your SQL statements without sanitization.

By understanding how an attacker can embed harmful queries into seemingly innocent fields, you’ll be more vigilant about safely handling user input.

In upcoming lessons, you’ll learn best practices for preventing these injections, so you can keep your application data safe from mischievous (or downright malicious) users.