Wednesday, 6 April 2011

0

What is SQL Injection?

  • Wednesday, 6 April 2011
  • PRABH KARAN SINGH
  • Share
  • What is SQL Injection?
    SQL Injection - \S-Q-L-in-'jek-shen\ - Noun
    The technique of inputting malicious data into an SQL statement, which would therefore make the vulnerability present on the database layer.

    What It Looks Like?
    The vast majority of all SQL injections will take place on an input form.
    The most basic of all SQL injections will look like the following:

    The Basic SQL injection is :


    Quote:
    Variable' or 1=1--


    Let’s say we have a login form. By inputting the above code, we can use our SQL injection to gain login even without proper credentials!

    How’s it work?
    Take a look..


    Code:
    SELECT * FROM users WHERE username = 'Variable' or 1=1--'



    See how our code is nicely injected into the query? The result of this query will grant us access regardless of the username, since the result of “1=1? will always be true. In this case, we bypass the whole selection process.

    You may have been wondering what the double dashes are for ( — ). These dashes at the end tell the SQL server to ignore the rest of the query. If the exploit isn’t being used on an SQL server, then omitting the double dashes and ending single quote will get the desired results.

    Note that while this is the most standard way, it certainly isn’t the only way that malicious users will gain entry. SQL queries will differ greatly from one syntax to another.
    It’s also common to see the following:


    Code:
    ') or ('1'='1
    "or "1"="1
    ' or '1'='1
    Or 1=1--
    " or 1=1--
    ' or 1=1--



    SQL Injection: Attacking Via URLs
    As we know it is possible to attack an SQL server through URL and usually much more dangerous to webmasters.
    When using PHP and SQL, there is commonly a URL such as the following:


    Code:
    http://YourWebsite.com/page.php?id=2



    By adding a little SQL to the end of the URL, we can attack on SQL server..

    I think this is enough, Now Let’s finally find out how to secure your website from SQL injection.


    SQL Injection Prevention: Editing Lengths Of Form Components
    The first step in the process is simple: simply restrict input fields to the absolute minimum- usually anywhere from 7-12 characters is fine. Doing so will make long queries unable to be input, since the field is only enough characters for smaller queries. This will actually not prevent an SQL injection, but will make work harder for those trying to make use of one.

    Note :SQL injection users can simply make a new form and remove the limits on the character length, since the length is in plain HTML and viewable (and editable) by anyone.

    SQL Injection Prevention: Data Type Validation
    Another good idea is to validate any data once it is received. If a user had to input an age, make sure the input is an actual number. If it was a date, make sure the date is in proper format. Again, this will not prevent an SQL injection in itself- it just makes work harder for those trying to exploit an SQL server.

    Note: This is still only slowing attackers down- but isn’t it much more satisfying to have them waste their time before finding out one’s own query is impervious to harm?

    SQL Injection Prevention: The Solution In Preventing SQL Attacks
    We’ll accomplish this with a simple function that the developers of PHP made especially for SQL injections. We call this function mysql_real_escape_string() - take a look at it below:

    Code:
    $name = "Honey";
    $name = mysql_real_escape_string($name);
    $SQL = "SELECT * FROM users WHERE username = '$name'";



    Although for a more practical use, we would have the $name variable pointed to a POST result, as seen below:

    Code:
    $name = mysql_real_escape_string($_POST['user']);



    And we can even make things easier by putting it into one line:

    Code:
    $SQL = "SELECT * FROM users where username = "mysql_real_escape_string($POST['user']);



    So what’s the output like if malicious users try to get access to our SQL server?
    Their attempts may look something like this:


    Code:
    $malcious_input = "' OR 1'";
    // The Above Is The Malicious Input. Don't Be Scared!
    // With The mysql_real_escape_string() usage, the following is obtained:

    \' OR 1\'
    // Notice how the slashes escape the quotes! Now users can't enter malicious data



    And the best part is, they just wasted their time and effort for nothing.

    Lastly, note that there are libraries and classes that can help aid in the fight against SQL injection. Prepared statements are plausible as well, but as for us, we enjoy sticking to the mysql_real_escape_string() function for less headaches.

    0 Responses to “ What is SQL Injection? ”

    Post a Comment