What is SQL Injection

jellytrickInternet and Web Development

Nov 10, 2013 (3 years and 10 months ago)

75 views

What is SQL Injection





User Controlled Data is placed into a SQL query
without being validated for correct format or
embedded escape strings.



Affects the majority of applications that use a
database backend and don’t force variable types.



At least 50% of the large e
-
commerce sites and
about 75% of the medium to small sites are
vulnerable.



Improper validation in CFML, ASP, JSP, and PHP
are the most frequent causes.

How does it work?


Identify the Errors


using SQL keywords “OR and “AND”,
meta characters semi
-
colon ;, apostrophe ‘, and the
comment symbol
--


Identifying Vulnerable Parameters
-

Number, String or
Date, try entering 3 + 3, no error means possible
vulnerability


Testing the Name parameter, once with an invalid string
such as B', the other with one that will generate a valid
string expression, such as B' + 'ook (or B' || 'ook with
Oracle). This results with the following queries:


1) SELECT * FROM Products WHERE Name = 'Book''

2) SELECT * FROM Products WHERE Name = 'B' + 'ook'


Implement the Injection


By sending johnsmith'
--

as the user, the following
WHERE clause is generated:


WHERE Username = 'johnsmith'
--
'AND
Password = 'pass'


In this case, not only was the syntax right, but the
authentication was by
-
passed.



Suppose someone entered the following string into
your username text box: ' OR 0=0
--


Database Identification


The attacker must also identify the type of
database that he is dealing with in order to exploit
the SQL injection.


Assuming the syntax is known, and the attacker is
able to add additional expressions to the WHERE
clause


He could try this,
AND 'xxx' = 'x' + 'xx'



By replacing the + with ||, Oracle can be easily
differentiated from MS SQL Server


Conclusion


This is a wide spread problem


Avoid the use of dynamically generated SQL in
your code


By implementing security measures at the
application level, a developer can assure the client
of a more secure application.