SQL injection
SQL injection is technique that exploits a security vulnerability using sql code.
This happens when the input given by the user is not correctly checked for the vurnerable SQL code and is there by sent to the instance of SQL Server for parsing and execution. This process works by terminating the text and by appending a new command.
SQL Injection Attack is abbreviated as SQLIA
Basic example of SQL Injection attack:
Lets consider the following query:
[php]var sql = "SELECT * FROM EMPLOYEE WHERE NAME =’"+EmployeeName+"’";[/php]
EmployeeName is fetched from the users input from the web page.
Now if the user enters “Jhon”, then the query would run great and the details of “Jhon” would be displayed.
But consider user entering the following as input:
[php]’ or ‘1’=’1[/php]
This would result in the following query:
[php]var sql = "SELECT * FROM EMPLOYEE WHERE NAME =” or ‘1’=’1’";[/php]
This means the user will be able to tweek the SQL query.
Using such means users can by pass user authentication on the websites. Hence the developers must be careful in order to avoid such Injection attacks.
Now if we pass this as employee name??
[php]Jhon’; drop table EMPLOYEE–[/php]
This results in the query being built into:
[php]var sql = "SELECT * FROM EMPLOYEE WHERE NAME =’Jhon’; drop table EMPLOYEE–‘";[/php]
The SQL Query that would be executed will be:
[sql]SELECT * FROM EMPLOYEE WHERE NAME =’Jhon’; drop table EMPLOYEE–‘[/sql]
Here ; says that the first query is completed, and the — says to ignore the remaining part of the query.
So three queries are executed here:
[sql]
SELECT * FROM EMPLOYEE WHERE NAME =’Jhon’
drop table EMPLOYEE
–‘[/sql]
- The first query gives the details of Jhon
- Second one drops the table EMPLOYEE
- The third one does not do any thing as it is just a SQL Comment
The following charecters must be checked in the user input and if they are present they have to be rejected:
- ;
- ‘
- —
- /* … */
- xp_
Downloads:
Microsoft – Source Code Analyzer for SQL Injection
References:
wiki
MSDN – SQL Injection