Chapter 10SQL Injection Attacks

One of the most popular types of online attacks is known as SQL injection, sometimes abbreviated as SQLi. These attacks involve the insertion of database code using Structured Query Language (SQL), where attackers can retrieve data from databases or overwrite existing data.

You might be surprised to learn that, according to OWASP (the Open Web Application Security Project), which is a charitable organization that promotes the securing of software, SQLi was the number one threat to online services in 2013, and listed as the most common threat at

This chapter looks at what these attacks involve, how to protect your websites against them, and finally how to launch them yourself for the purposes of penetration testing.

Needless to say, this is a wide and complex area that requires a degree of background knowledge to carry out more sophisticated attacks. You might be surprised how easy it is, however, having run only a handful of commands and with only a little database knowledge, to bring a vulnerable online service to its knees. For that reason alone, it's imperative that IT professionals be aware of the risks that SQL injections pose and how to mitigate their effects.


Considering its simplicity, the fact that SQLi is so effective makes it a formidable type of attack.

Take note, junior developers, because when it comes to security matters, sysadmins tend not to be directly responsible for ...

Get Linux Server Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.