What is SQL Injection

jellytrickInternet and Web Development

Nov 10, 2013 (3 years and 6 months ago)


What is SQL Injection

User Controlled Data is placed into a SQL query
without being validated for correct format or
embedded escape strings.

Affects the majority of applications that use a
database backend and don’t force variable types.

At least 50% of the large e
commerce sites and
about 75% of the medium to small sites are

Improper validation in CFML, ASP, JSP, and PHP
are the most frequent causes.

How does it work?

Identify the Errors

using SQL keywords “OR and “AND”,
meta characters semi
colon ;, apostrophe ‘, and the
comment symbol

Identifying Vulnerable Parameters

Number, String or
Date, try entering 3 + 3, no error means possible

Testing the Name parameter, once with an invalid string
such as B', the other with one that will generate a valid
string expression, such as B' + 'ook (or B' || 'ook with
Oracle). This results with the following queries:

1) SELECT * FROM Products WHERE Name = 'Book''

2) SELECT * FROM Products WHERE Name = 'B' + 'ook'

Implement the Injection

By sending johnsmith'

as the user, the following
WHERE clause is generated:

WHERE Username = 'johnsmith'
Password = 'pass'

In this case, not only was the syntax right, but the
authentication was by

Suppose someone entered the following string into
your username text box: ' OR 0=0

Database Identification

The attacker must also identify the type of
database that he is dealing with in order to exploit
the SQL injection.

Assuming the syntax is known, and the attacker is
able to add additional expressions to the WHERE

He could try this,
AND 'xxx' = 'x' + 'xx'

By replacing the + with ||, Oracle can be easily
differentiated from MS SQL Server


This is a wide spread problem

Avoid the use of dynamically generated SQL in
your code

By implementing security measures at the
application level, a developer can assure the client
of a more secure application.