SQL injection

What is an SQL injection?

An SQL injection is an exploit that takes advantage of vulnerabilities in a database to inject code. This technique is used by cybercriminals to embed malware in legitimate websites.

When entering forms on a page, the entries get stored in a database using the SQL computer language. A vulnerability in the code might enable an entry in a form field to send a command to the database. For example, this might allow cybercriminals to enter a command that would reveal the contents of that database, including email addresses, usernames, and passwords.

A number of free web applications are available to scan websites for vulnerabilities. If you are the owner of a website which contains a form entry field that stores information, we recommend you run a scan.

Known cases

A number of universities were the target of SQL injections, notably John Hopkins University, which announced that their Biomedical Engineering servers had fallen victim to an SQL injection. A number of governmental and international institutions have also been attacked in China, Turkey, Japan, the UK, and the UN. In 2014, a hacker was reported as having stolen over 1.2 billion internet credentials from over 420,000 websites.

How to block infected websites

To protect our users, our premium protection includes advanced web protection, which blocks infected websites.

Learn more about our premium protection

The Avira Security Wordbook

Search our threat glossary for clarifications on frequently used terms in IT security.