The database plays a vital role in a web application as it stores and organizes its data. It serves as a central repository for storing user information, content, and other application data. The database enables efficient data retrieval, manipulation, and management, allowing the web application to deliver dynamic and personalized content to users. However, poorly implemented communication between a database and a web application can lead to sensitive data breaches, users' mistrust, legal consequences, and loss of profits. In this article, we'll explore backend misconfigurations that lead to such disasters and learn how to ensure the application's safety.
What Is SQL Injection?
SQL Injection – or SQLi – is a vulnerability that allows an attacker to tamper with queries that web applications send to the database. Injection occurs when an application misinterprets users' input and treats it as SQL code rather than a string. As a result, malicious users can change the intended query flow, subvert the application's logic, and gain unauthorized access to its resources.
In the image above, the developer failed to sanitize the content of the "last-name" div, which resulted in users being able to include malicious scripts by manipulating their last name.