SQL injection is one of the most typical ways web applications and online platforms can be compromised. It doesn’t matter the language either – badly formatted, non-filtered code is easy to write in PHP, ASP.net, and so on.
SQL injection is a way for an attacker to gain access to your database by sending malformed queries through a web form or service that gets data from a database. Since most web applications talk to database, it’s not hard to find a website that has some sort of connectivity and thus is ripe for attack. Once an attacker finds a vulnerable form, it can be exploited to not only return sensitive information, but also offer a way for the attacker to gain access to the system to perhaps upload a file they can then access via a browser to own your machine.
As you can see in the video below, it’s very easy for attackers to visit your site, app, or platform and try to exploit your data. If you’ve never seen how this type of attack works, or just how easy it is to write code that’s insecure, have a watch:
What can you do?
There have been books written about how to write safe and secure code, but as a starting point, please make sure that if you access user input and then perform any type of data search with it, you filter and escape it to not allow bad characters through.
Second, validate that input to ensure only the type of data you are asking for is being entered in your eventual SQL query. If you are asking for a number, do a check that the data the user has entered is indeed a number.
This is only the tip of the iceberg, but will hopefully set you down the path of writing code if you currently aren’t using these techniques. There are many places to start, but OWASP is always a good resource. They have a page dedicated to preventing SQL injection techniques and attacks.