SQL injection is basically to insert or “inject” SQL queries and commands into input data, which can cause any number of insecure behaviors and user privacy violations.
Many e-commerce applications use a database of one type or another to store information. Whether this is product information, account information, or some other type of data, the database is an important link in the Web application’s environment. SQL commands make the interface between the Web front end and a back-end database and enable data to be passed to and from the Web application. You should control this data so that a user only gets information that he is authorized to obtain. However, because many Web sites dynamically generate the SQL query using parameters that the user supplies, an attacker can often trick the application into changing the nature of the query by entering SQL artifacts into a URL, form field, or other input, giving him unrestricted access to the database.
Because SQL queries are often used for authentication, authorization, purchases, and billing, vulnerabilities associated with allowing an attacker to submit arbitrary SQL queries are extremely serious. Often, an attacker is able to use SQL injection to obtain information from a database without being an authorized user.
This attack is applicable whenever input is sent from a Web application to a back-end database. Someone can perform this attack by entering SQL command artifacts into a URL, form field, or other input parameter that is part of a dynamically generated SQL query. Because most Web applications rely on a database for a lot of storage and logic (user permissions, settings, and so forth), numerous parameters may eventually find their way into a query.
Fields that comprise part of a database table are the ones that are most likely to be used in SQL queries for lookup or data retrieval. As you use your target Web application, ask yourself if the data you are entering would likely be stored inside a database. Familiarizing yourself with database design and SQL is highly recommended.
Any input, whether it is a form field on a Web page or a parameter of an API, that is part of an SQL query is subject to a possible SQL injection vulnerability. If no mitigations are in place, attacks may fail only because of an insufficient understanding of the database schema and how queries are constructed. Thus, a security tester needs to understand how data that is presented to a user is employed behind the scenes. Even if you’re in doubt about whether this attack applies, try it anyway. The risk of an attacker extracting information from your database makes the effort worth your while.