SQL Injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command which is executed by a web application, exposing the back-end database.Owing to the lack of input validation and connecting to the database on behalf of a superuser or the one who can create users, the attacker may create a superuser in your database.Well SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.Injected SQL commands can alter SQL statement and compromise the security of a web application.
The first public discussions of SQL injection started appearing around 1998.SQL injection (SQLI) is considered one of the top 10 web application vulnerabilities of Web Applications.It is the application developers fault to allow SQL Injection on their application, Because if they provide proper validation for input fields then there is nobody, who can attack via SQL Injection!!
OK, let me take an example, Suppose we have a simple login page where a user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum.When the user submits his details then, in background an SQL query is generated from these details and submitted to the database for verification.If valid, the user is allowed to access his member area, And if username and password mismatched then it will return with a simple warning that may be “Your user name and password might be wrong.”
In simple word the website login page will communicate to the data base and return a success page if user is authenticated otherwise it will return an error page.
Through SQL Injection, the hacker may input specifically crafted SQL commands with some logical inputs and seeing what lies behind it. This is only possible if the inputs are not properly Validated and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the backdoor for a hacker to communicate directly to the database.
How does it cause vulnerabilities?
-
$password = $_POST['password']; $id = $_POST['id']; $sql = "UPDATE Accounts SET PASSWORD = '$password' WHERE account_id = $id";Now suppose the attacker sets the POST request parameters to “
password=1234” and “id=account_id” resulting in the following SQL:UPDATE Accounts SET PASSWORD = '1234' WHERE account_id = account_idNow we know the password and account_id is same then we can fetch all the data from this Account table like-a/c number, name, address etc.
- 1=1(Always true condition)
Lets take an user id fiend –
User Id :
Server Result :-
SELECT * FROM Users WHERE UserId = 105 or 1=1
The SQL above is valid. It will return all rows from the table Users, since WHERE 1=1 is always true.Now it is quite dangerous? What if the Users table contains names and passwords?
3. “”=””(Is Always true)
Suppose we have two fields –
User Name:
Password:
Server Code :-
uName = getRequestString("UserName");
uPass = getRequestString("UserPass");
sql = "SELECT * FROM Users WHERE Name ='" + uName + "' AND Pass ='" + uPass + "'"
A smart hacker might get access to user names and passwords in a database by simply inserting ” or “”=” into the user name or password text box.
The code at the server will create a valid SQL statement like this:
SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""
The result SQL is valid. It will return all rows from the table Users, since WHERE “”=”” is always true.
So as i Explained above, There is lots of techniques available that hackers can used to access all your secrete information from your secure data base.Attacker can perform all the operations (CRUD) on your data base.
So in the next article we will tell you, How to prevent from SQL Injection, And how can we secure our blog or website from this serious attack.