A SQL injection attack consists of injection or "injection" of a SQL query via the input data from the client to the application.A successful SQL injection exploit can read sensitive data from the database,modify database data (insert/delete/update), execute administration operations on the database,recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.SQL injection attacks are a type of injection attack, in which SQl commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
SQL in Web Pages
SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user give you an SQL statement that you will unknowingly run on your database.
Example:-
txtUserId = getRequestString("UserId");
txtSQl = "SELECT * FROM Users WHERE UserId = " + txtUserId;
The original purpose of the code was to create an SQL statement to select a user, with a given user id.
If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input.
UserId:- 75 OR 1=1
Then SQL statement will be like this,
SELECT * FROM Users WHERE UserId = 75 OR 1=1;
The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE.
A hacker might get access to all the user names and passwords in a database, by simply inserting 75 OR 1=1 into the input field.
SQL Injection Based on ""="" is Always true.
Username: John
Password: abc123
uName = getRequestString("username");
uPass = getRequestString("userpassword");
sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + '"'
Result
SELECT * FROM Users WHERE Name =" john " AND Pass = "abc123"
A hacker might get access to user names and passwords in a database by simply inserting "OR""=" into the user name or password text box:
Username : "or ""="
Password : "or ""="
SELECT * FROM Users WHERE Name = "" or ""="" AND Pass = "" or ""=""
The SQL above is valid and will return all rows from the "Users" table, since OR ""="" is always TRUE.
SQL Injection Based on Batched SQL Statements
Most databases support batched SQL statement.
A batch of SQL statements is a group of two or more SQL statements, separated by semicolons.
The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table.
SELECT * FROM Users; DROP TABLE Suppliers
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
Input will be like this:
User id : 75; DROP TABLE Suppliers
Result
SELECT * FROM Users WHERE UserId = 75; DROP TABLE Suppliers;
Use SQL Parameters for Protection
To protect a web site from SQL injection, you can use SQL parameters.
SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = @0";
db.Execute(txtSQL,txtUserId);
Note that parameters are represented i the SQL statement by a @ marker.
The SQL engine checks each parameter to ensure that it is correct form its column and are treated literally, and not as part of the SQL to be executed.
No comments:
Post a Comment