SQL Injection

SQL Injection

SQL injection, a code injection method, has the potential to compromise your database integrity.

Among the prevalent web hacking techniques, SQL injection stands out.

SQL injection involves embedding malicious code within SQL statements, often through user-input on web pages.

SQL in Web Pages

SQL injection typically arises when soliciting user input, such as a username or user ID, where instead of legitimate data, the user submits an SQL statement. This SQL statement is then unwittingly executed on the database.

Consider the following instance: a SELECT statement is constructed by concatenating a variable (txtUserId) with a select string. This variable is obtained from user input (getRequestString).

Example

txtUserId = getRequestString(“UserId”); txtSQL = “SELECT * FROM Users WHERE UserId = ” + txtUserId;

The subsequent section outlines the risks associated with incorporating user input into SQL statements.

SQL Injection Based on 1=1 is Always True

In revisiting the example provided, the initial intent of the code was to generate an SQL statement for selecting a user based on a specified user ID.

However, in the absence of any safeguards against incorrect input, users can input cleverly crafted data, as illustrated below:

User ID:

105 OR 1=1

Subsequently, the SQL statement will appear as follows:

SELECT * FROM Users WHERE UserId = 105 OR 1=1;

The above SQL query is valid and will return all rows from the “Users” table because “OR 1=1” is always TRUE.

Does the example above seem dangerous? What if the “Users” table contains names and passwords?

The SQL statement provided is analogous to this:

SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;

SQL Injection Based on “”=”” is Always True

Below is an illustration of a user login process on a website:

Username:

John Doe

Password:

myPass

Example

uName = getRequestString(“username”); uPass = getRequestString(“userpassword”); sql = ‘SELECT * FROM Users WHERE Name =”‘ + uName + ‘” AND Pass =”‘ + uPass + ‘”‘

Result

SELECT * FROM Users WHERE Name =“John Doe” AND Pass =“myPass”

By inserting ” OR “”=” into either the username or password text box, a hacker could potentially gain access to user names and passwords stored in a database.

User Name:

” or “”=”

Password:

” or “”=”

The code on the server will generate a SQL statement that is valid, similar to the following:

Result

SELECT * FROM Users WHERE Name =“” or “”=“” AND Pass =“” or “”=“”

This SQL statement is valid and will retrieve all rows from the “Users” table because the condition “OR “”=”” is always TRUE.

SQL Injection Based on Batched SQL Statements 

Many databases offer support for batched SQL statements, which are groups of two or more SQL statements separated by semicolons.

The following SQL statement will first retrieve all rows from the “Users” table and then proceed to delete the “Suppliers” table.

Example

SELECT * FROM Users; DROP TABLE Suppliers

Consider the example below:

Example

txtUserId = getRequestString(“UserId”); txtSQL = “SELECT * FROM Users WHERE UserId = ” + txtUserId;

Take a look at the input provided below:

User id:

105; DROP TABLE Suppliers

Here’s how the valid SQL statement would appear:

Result

SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;

Use SQL Parameters for Protection