An SQL injection is one of the most common, but simultaneously dangerous, attack vectors against SQL databases. The general principle is manipulating user input in such a way that a legitimate SQL request is followed by a malevolent one, hence, injection. Any database that responds to user input (even if the user makes his or her request through a website) is potentially vulnerable to an injection attack. Any SQL request can be injected this way, making this attack potentially incredibly destructive; for instance, an injected DROP TABLE request can delete an entire database. If manipulating or retrieving data directly is impossible, the attacker can still obtain useful information by observing the database’s error messages, or even the delay between submitting a request and receiving a response.
Two principal methods of countering an SQL injection attack are input validation (also called sanitization) and employing a web application firewall (WAF). Sanitization is subjecting user input to additional code that filters out illegitimate inputs, such as empty strings or special characters, before forwarding the request to the database. User input should always undergo sanitization; however, covering all possible inconsistencies can be unfeasible, necessitating the use of a WAF. A WAF is a network security system that inspects the HTTP traffic to and from a web service to detect and block a variety of potential attacks, including SQL injection. Both of these approaches should be used in combination to achieve the best possible protection against this type of attack.