Member-only story
I’ve recently moved into an application security part-time role at work and felt the need to document some of my learnings. This article, or any security-related articles, are not intended for use in hacking. I am in no way responsible if you try to use this knowledge for any malicious activity. I am in no way a security expert, if you try anything in this article you will get caught. I have also been vague on certain parts of the article.
SQL injection may be the most famous attack vector in computer programming. A successful SQL injection can net all sorts of sensitive information stored on a database. The reality is that we live in a data-driven world and that data has to be stored somewhere. As technology has become more widespread companies have started investing in security to prevent these attacks but bad actors are always evolving and improving their attack vectors. Below I’ll go over what a possible SQL injection may look like and how to prevent this attack.
The Flaw
Let’s start with some vulnerable code. The Gist below shows the skeleton code of an authorization. The username and password will come off the HTTP request. The sqlQuery contains a query that has been built to authenticate the incoming credentials. The SQL query is then executed on line 6.
