What is SQL Injection?
The ability to inject SQL commands into the database engine through an existing application is termed as SQL Injection Attack.
SQL injection is a type of security exploit in which the attacker adds SQL statements through a web application’s input fields or hidden parameters to gain access to resources or make changes to data.
It’s a serious vulnerability, which can lead to a high level of compromise – usually the ability to run any database query.
It is an attack on web-based applications that connect to database back-ends in which the attacker executes unauthorized (and unexpected) SQL commands by taking advantage of insecure code and bad input validation. It is very often done on systems connected to the Internet because it allows to completely bypass the firewall. SQL injection attacks can be used to steal information from a database from which the data would normally not be available and to gain access to host computers through the database engine.
Example of SQL Injection attack
SQL Query in Web application code:
“SELECT * FROM users WHERE login = ‘” + userName + “’ and password= ‘” + password + “’;”
–Hacker logs in as: ‘ or ‘’ = ‘’; — and query becomes like this
SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; –’; and password=‘’;
–Hacker deletes the users table with: ‘ or ‘’ = ‘’; DROP TABLE users; —
•SELECT * FROM users WHERE login = ‘’ or ‘’=‘’; DROP TABLE users; –’; and password=‘’;
What are Common SQL Injection Characters
‘ or " character String Indicators
– or # single-line comment
/*…*/ multiple-line comment
+ addition, concatenate (or space in url)
|| (double pipe) concatenate
% wildcard attribute indicator
?Param1=foo&Param2=bar URL Parameters
PRINT useful as non transactional command
@variable local variable
@@variable global variable
waitfor delay ’0:0:10′ time delay
How to Defending against SQL injections ?
- Sanitize all input. Assume all input is harmful.
- Validate user input that contains dangerous keywords or SQL characters, such as “xp_cmdshell”, “- -”, and “;”.
- Consider using regular expressions to remove unwanted characters. This approach is safer than writing your own search and replace routines.
- Run Code with least privilege.
- Do not execute an SQL SELECT statement as “sa”. Create low-privilege accounts to access data.
- Use SQL permissions to lock down databases, stored procedures, and tables.
- Remove unused stored procedures.
- Do not allow clients to view ODBC/OLE DB error messages. Handle these errors with your own code. By default, ASP pages returns error messages to clients.
- Enable logging of all user access, and set alerts to log all failed attempts to access objects.
- Do not use string concatenations to build SQL queries. Instead, use parameterized queries or parameterized stored procedures, because they explicitly define input and output values and do not process multiple statements as a batch.