Don't miss an insight. Subscribe to Techopedia for free.


Why are SQL injection and query string manipulation gaining in cybercrime popularity?

By Justin Stoltzfus | Last updated: January 9, 2020

SQL injection, along with the related manipulation of query strings, is widely cited as one of the most popular ways of hacking into a network or system that utilizes the conventional relational database. (Read When SQL Isn't Enough: Controls for Massive New Data Centers.)

There are a number of reasons for this. First of all, the use of SQL injection to get unauthorized access to database contents doesn't require any special tools. Secondly, it can be done right through the Internet.

By manipulating a query string that goes from a web form to a host system, hackers can do all sorts of things, including getting the database to dump its data. Wherever these incoming inputs are not properly authenticated and validated, it’s extremely easy to make your way into a database remotely.

You don't have to crack a password or figure out a way around encryption or anything else — the hacker just enters the altered query statement and runs amok in the system.

In addition, as some experts point out, hackers can fingerprint databases through careful research. It's relatively easy in many cases to figure out what type of database a network is using, and again, this can all be done from any connected computer.

Essentially, query string manipulation is as simple as adding alphanumeric characters to a string. It's one of the simplest, most straightforward and most effective types of database hacking around. Contrast this with something like a denial of service attack or a ransomware attack, both of which require sophisticated planning, and you'll see why SQL injection is so popular. (Read How Should Businesses Respond to a Ransomware Attack?)

There are ways of locking out hackers — of disabling SQL injection, but vulnerabilities are so common that they represent a big open barn door to hackers. Spoofing and social engineering are also popular, but SQL injection doesn’t even require the hacker to trick any human user! It just involves looking for the right pressure point, and using it.

Share this Q&A

  • Facebook
  • LinkedIn
  • Twitter


Cybersecurity Data Management Cyber Threats Identity & Access Governance

Written by Justin Stoltzfus | Contributor, Reviewer

Profile Picture of Justin Stoltzfus

Justin Stoltzfus is a freelance writer for various Web and print publications. His work has appeared in online magazines including Preservation Online, a project of the National Historic Trust, and many other venues.

More Q&As from our experts

Related Terms

Related Articles

Term of the Day

Machine Bias

Machine bias is the tendency of a machine learning model to make inaccurate or unfair predictions because there are...
Read Full Term

Tech moves fast! Stay ahead of the curve with Techopedia!

Join nearly 200,000 subscribers who receive actionable tech insights from Techopedia.

Go back to top