SQL injection is a technique normally used by attackers to obtain or change information in database. However, an attacker can use SQL injection to cause Denial of Service (DoS) by passing SQL commands that execute and cause malfunctioning in the back-end database. Attackers exploit loopholes relating to non-validated input in web applications that operate by formulating SQL commands form the user input. By supplying parameters in the URL or form field of a website, attackers can alter the intended operation of an application to serve their interests. Common tricks used in executing SQL injection include concatenating user input to with an SQL command after the end of normal quote character (Clarke, 2009). Another trick used in SQL injection is the modification of select queries to add conditions to the WHERE clause commonly used in database operations. Modifying database queries can cause the database to return incorrect results or fail to respond to user’s input. Inexperienced attackers can accomplish SQL injection using software tools such as Power Injector SQL Map and SQL Ninja, which automate the process.
There are diverse technical approaches than increasingly reduce vulnerabilities relating to SQL injection. One approach is modifying the application code responsible for the identified vulnerabilities by using parameterized statements and bind variables to eliminate loopholes that allow attackers to pass crafted strings in form fields and applications’ URLs. Another technical approach is the installation of tools such as network filters, web application filters and Intrusion Prevention Systems (IPS) that can identify attempts of SQL injection (Clarke, 2009). To avoid damages related to SQL injection, organizations can adopt policies that minimize the privileges assigned to databases. Evaluating access rights for application accounts limits the scope for attackers to interfere with normal database operations. Application accounts should have access only to the database tables require for related functions rather than all the tables in the database.