Is my database at risk to SQL Injection?

Is my database at risk to SQL Injection?

SQL Injection is one of the most common application layer attacks currently being used on the Internet.

Despite the fact that it is relatively easy to protect against SQL Injection, there are a large number of web applications that remain vulnerable. According to the Web Application Security Consortium (WASC) 9% of the total hacking incidents reported in the media until 27th July 2006 were due to SQL Injection. More recent data from our own research shows that about 50% of the websites we have scanned this year are susceptible to SQL Injection vulnerabilities.

It may be difficult to answer the question whether your web site and web applications are vulnerable to SQL Injection especially if you are not a programmer or you are not the person who has coded your web applications. Our experience leads us to believe that there is a significant chance that your data is already at risk from SQL Injection.

Whether an attacker is able to see the data stored on the database or not, really depends on how your website is coded to display the results of the queries sent.

What is certain is that the attacker will be able to execute arbitrary SQL Commands on the vulnerable system, either to compromise it or else to obtain information. If improperly coded, then you run the risk of having your customer and company data compromised. What an attacker gains access to also depends on the level of security set by the database. The database could be set to restrict to certain commands only.

A read access normally is enabled for use by web application back ends. Even if an attacker is not able to modify the system, he would still be able to read valuable information.