How to Explain SQL Injection to Anyone

There are many ways to explain SQL Injection, and the “best” way is clearly determined by who you’re talking to. For somewhat technical folks, I like my friend Steve’s explanation, I use the explanation below.

Two Key Concepts

SQL Injection is a computer security vulnerability where two bad things are happening at once: the Confused Deputy problem and the confusion between Data and Commands.

  1. Confused Deputy is a security problem where someone wants to accomplish something they don’t have the permission to do, and they find a way to trick someone who does have the authority into doing it for them. A good example would be sneaking a gun into a bag of an airport worker (who bypasses security) and then retrieving it later behind the security barrier. You got the gun past security by using the authority of the airport worker.

  2. The confusion of Data vs. Commands is easy enough to see with a couple of examples. We give computers lots of different inputs: sometimes we give them data: “My address is ‘123 Maple Street'”, and sometimes we give them commands, like, “print this photo” or “send this file”. The problem arises when the computer thinks it’s getting data (like an address), but it really gets a command (like ‘delete the hard drive’).

SQL Injection is a combination of these two issues.

The Courtroom Analogy

The best way to conceptualize this is through the analogy of a courtroom. Imagine that you have present a defendant and a judge, and that the first thing the judge does at the beginning of a case is read the roster where the defendant wrote his name. He says:

Calling $DEFENDANT_NAME.

So if his name is Ender Wiggin, the judge would say:

Calling…Ender Wiggin.

Fair enough. But what happens if Ender writes his name as, “Case Dismissed”?

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

Then, when the judge does his regular speil, he’d say:

Calling…Case Dismissed.

Ender then smiles and walks out of the courtroom.

This is confusion of Data and Commands because the judge thought he was reading a name (data) and instead issued a command (dismiss the case), and it’s the Confused Deputy problem because Ender is not himself able to dismiss it–he had to get the judge to do it for him.

Real World

It’s the same with computers and web pages.

  1. There is often confusion between Data and Commands in a web page that asks for an address (data) but receives a SQL command instead (e.g.: get me stuff from your database)

  2. Confused Deputy is in play because you (the web user) are not allowed to ask the database direct questions–but the web page you just gave your command to is

Either way, Ender gets what he wants: out of jail or access to data he’s not supposed to have. Slippery bugger.

Additional Links

1 This is an incredible explanation recommmended by my friend Joel.

Related posts: