SQL Injection

SQL Injection

• SQL injection is a type of code injection technique that might destroy the databases.

• In this technique the malicious code in SQL statement is placed via web page input. These statements control a database server behind a web application.

• Attackers can use SQL injection vulnerabilities to bypass application security measures. They can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL injection to add, modify and delete records in the database.

• An SQL injection vulnerability may affect any website or web application that uses an SQL database such as MySQL, Oracle, SQL Server or others.

How SQL Injection Works?

• To make an SQL injection attack, an attacker must first find vulnerable user inputs ad to within the web page or web application. A web page or web application that has an ses SQL injection vulnerability uses such user input directly in an SQL query. The attacker can create input content. Such content is often called a malicious payload and is the key part of the attack. After the attacker sends this content, malicious SQL commands are executed in the database.

• SQL is a query language that was designed to manage data stored in relational Sup databases. You can use it to access, modify and delete data. Many web applications and websites store all the data in SQL databases. In some cases, you can also use SQL commands to run operating system commands. Therefore, a successful SQL Injection attack can have very serious consequences.

Example of SQL Injection

• Following is an example of SQL injection vulnerability works around a simple rid web application having two input fields - One for user name and another for password.

• This example has a table named users with the columns username and password

uname-request.POST['username']

passwd=request.POST['password']

query="SELECT id FROM users WHERE username='"+ uname +"' ANDpassword='"+ passwd +"'

database.execute(query)

• Here the two input fields - One for user name and another for password is vulnerable to SQL injection.

• The attacker can attack using these fields and alter the SQL query to get the access to the database.

• They could use a trick on password field. They could add

OR 1 = 1

Statement to the password field.

• As a result the query would becomes (assuming username as 'user1' and password='password')

• SELECT id FROM users WHERE username='user1' AND password='password' OR 1 = 1

• Because of OR 1 = 1 statement, the WHERE clause returns the first id from the users table no matter what the username and password are. That means even-if we enter any wrong username or password still the query will get executed because of OR 1 = 1 part which comes out to be true.

• The first id is returned by the above query for users table and we know that the first id is normally administrator. In this way, the attacker not only bypasses authentication but also gains administrator privileges.

How to prevent SQL injection?

• The only way to prevent SQL injection is to validate every input field.

• Another method is to make use of parameterized query. This parameterized query is called prepared statement. By this ways, application code never use the input directly.

• The Web Application Firewalls (WAF) are also used to filter out the SQL.

Review Question

1. Write short note on SQL injection.