SQL Injection

SQL injection is a technique used to extract user data by injecting web page inputs as statements through SQL commands. Basically, malicious users can use these instructions to manipulate the application’s web server.

1. SQL injection is a code injection technique that can compromise your database.
2. SQL injection is one of the most common web hacking techniques.
3. SQL injection is the injection of malicious code into SQL statements via web page input.

 

The Exploitation of SQL Injection in Web Applications 

Web servers communicate with database servers anytime they need to retrieve or store user data. SQL statements by the attacker are designed so that they can be executed while the web server is fetching content from the application server. It compromises the security of a web application. 

Example of SQL Injection

Suppose we have an application based on student records. Any student can view only his or her own records by entering a unique and private student ID. 

Suppose we have a field like the one below: 

Student id: The student enters the following in the input field: 12222345 or 1=1. 

Query:

SELECT * from STUDENT where 
STUDENT-ID == 12222345 or 1 = 1

Now, this 1=1 will return all records for which this holds true. So basically, all the student data is compromised. Now the malicious user can also delete the student records in a similar fashion. Consider the following SQL query.

Query:

SELECT * from USER where 
USERNAME = “” and PASSWORD=”” 

Now the malicious can use the ‘=’ operator in a clever manner to retrieve private and secure user information. So instead of the above-mentioned query the following query when executed retrieves protected data, not intended to be shown to users.

Query:

Select * from User where 
(Username = “” or 1=1) AND 
(Password=”” or 1=1).

Since 1=1 always holds true, user data is compromised. 

Impact of SQL Injection

The hacker can retrieve all the user data present in the database such as user details, credit card information, and social security numbers, and can also gain access to protected areas like the administrator portal. It is also possible to delete user data from the tables. 

Nowadays, all online shopping applications and bank transactions use back-end database servers. So in case the hacker is able to exploit SQL injection, the entire server is compromised. 

Preventing SQL Injection

• User Authentication: Validating input from the user by pre-defining length, type of input, of the input field and authenticating the user.
• Restricting access privileges of users and defining how much amount of data any outsider can access from the database. Basically, users should not be granted permission to access everything in the database.
• Do not use system administrator accounts. 

For more details, you can refer to How to Protect Against SQL Injection Attacks? article. 

SQL in Web Pages

SQL injection typically occurs when you ask a user for input, such as their username/user ID, instead of their name/ID, and the user gives you an SQL statement that you execute without the knowledge about your database.

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users
WHERE UserId = " + txtUserId;

SQL Injection Based on Batched SQL Statements 

1. Most databases guide batch SQL  statements.
2. A batch of SQL statements is a collection of two or more square statements separated by using semicolons.

The SQL  declaration underneath will return all rows from the “users” desk after which delete the “Employees ” table.

Query: 

SELECT * FROM Users; 
DROP TABLE Employees

Look at the following example:

Syntax:

txtEmpId = getRequestString("EmpId");
txtSQL = "SELECT * FROM Users 
WHERE EmpId = " + txtEmpId;

The valid SQL statement would look like this:

Query:

SELECT * FROM Users WHERE EmpId = 116; 
DROP TABLE Employees;