Who doesn’t love applying to college?
Thanksgiving approaches fast, and it’s the time of the year when high school seniors should feel particularly thankful. In just a few weeks, the Common Application will force any student applying to college to hand over his parents’ lifetime savings so that college admission officers can spend 25 seconds judging his application to determine if he is worthy of acceptance. With today’s average college acceptance rate of 0.000005%, students should feel grateful, nay, honored, to take part in the college admission process.
If you are applying to college or grad school, there’s a better way to get accepted: just hack your way in! Ok ok, I'm not entirely serious, but it might surprise you that hacking into a college’s database is theoretically possible using a method called SQL injection.
A common way to communicate with databases is to use SQL, or structured query language.
When data is entered into an online form, such as when you fill in your name, address, or phone number into your online college application, a SQL command is sent to the database that requests to add this new data to the database2. However, if a user enters an SQL command into the form instead of valid data, then it is possible to communicate with the database in a way that the creators of the website did not intend. For example, if a hacker wanted to add a new student to the database’s list of admitted students, he could enter in a formatted SQL query which might look similar to the following3:
INSERT INTO AcceptedStudents (StudentName, StudentID, Password, Email)
VALUES ('Hacker Bob','SO12345',”password1234”, “firstname.lastname@example.org);
Hasn’t anyone figured out how prevent SQL injection?
SQL injection works because SQL commands and valid input - like your name - are both strings of characters, and the database system has innate way of telling the difference. Many websites have protection against SQL injection attacks by checking to make sure there are no malignant commands. Nevertheless, SQL injection remains a common form of hacking because often times websites developers, when writing thousands and thousands of lines of code, will sometimes forget to add this security feature in certain locations. Additionally, these flaws do not impact the main functionality of the website, and thus are difficult to detect.1
I hope that all the students who are gearing up to take standardized tests (SATs, ACTs, MCATs, ATTs, ABCs, or any other tests that tries to reduce a person to a set of numbers) have realized that working hard and trying to act in a morally upright way is clearly the "wrong" way to get into college. But in all seriousness, SQL injection afflicts many more websites than one might initially assume. SQL databases constitute the majority of database systems in existence, including college application systems. If these systems do not have adequate security features, then the reliability of these systems will plummet.
Speaking of poor reliability, in my next article we will be looking into the state of Rice’s wifi.
Bright, P. How security flaws work: SQL injection. http://arstechnica.com/information-technology/2016/10/how-security-flaws-work-sql-injection/ (accessed 10/30/16), part of Ars Technica.
SQL Injection. http://www.beyondsecurity.com/about-sql-injection.html (accessed 10/21/16), part of SQL Injection.
- SQL INSERT INTO Statement. http://www.w3schools.com/sql/sql_insert.asp (accessed 10/30/16), W3 Schools.