A lot of times when we talk about cybersecurity, it's hard for people to get a clear picture of how significant the risks are and how much damage can be done by cybersecurity attacks, today we'll be looking at a common yet scary cybersecurity attack known as SQL injection. Recall that I have in the past written about how software solutions are built where there's mostly a frontend, a backend and a database, I have written about how the frontend collects data/queries, sends to the backend which then feeds the database (depending on the operation).
SOME OF OUR DIGITAL INFRASTRUCTURAL CHECKPOINTS
I have also written about the dangers in having frontend communicate directly with the model classes and I used DTO as a convenient solution to that problem, I also wrote about input validation that helps to check the kind of data netizens send to software solutions. But what if these contingencies and failsafe features aren't present? that's where SQL injection can be carried out with ease. The issue with SQL is that it doesn't exactly know the difference between user and admin, it runs any requests that it receives.
A RELATABLE EXPLANATION
As a result of the above, if a hacker sends a query (using the input fields in a software solution), the database will carry out the request no matter how outlandish the request is. With SQL injection, one doesn't need to hack the password of the user or admin to get in. Examples of things that can be done with SQL injection is deleting an entire database, obtaining and changing the password of users, changing the details of users, changing very important values within a software solution and a host of other scary things.
THERE ARE MULTIPLE WEAK LINKS
Recall that within software solutions, there are places like the search box where you can type in things you want to find on a platform or other input fields where you type in your name during registration or updating your profile, there are so many input boxes on a platform. Each one of these input boxes can be used to perpetrate SQL injection. Imagine a situation where a hacker is able to change the password of an Admin and login with the new password or change the prices of products on an e-commerce platform.
FINALLY
Even worse, imagine someone deleting the entire database of a bank, such that even the bank doesn't know how many customers it has or their account balances, SQL injection is so simple yet powerful which is why we create ways to ensure it can't happen. A world where users can communicate directly with the database is one where this can happen very easily. A lot of times, software engineers have to trade speed and performance for overall security and that's why we have checkpoints for data and input validation.