This Tutorial Will Explain All About SQL Injection. You will Learn what is the impact of SQL Injection and how to prevent.
“An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input”. SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn’t properly filter out dangerous characters.
This can allow an attacker to not only steal data from your database but also modify and delete it. Certain SQL Servers such as Microsoft SQL Server contain Stored and Extended Procedures (database server functions). If an attacker can obtain access to these Procedures it may be possible to compromise the entire machine.
Attackers commonly insert single quotes into a URL’s query string, or into a forms input field to test for SQL Injection. If an attacker receives an error message like the one below there is a good chance that the application is vulnerable to SQL Injection.
Take a simple login page where a legitimate user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum.
When the legitimate user submits his details, an SQL query is generated from these details and submitted to the database for verification. If valid, the user gets access. In other words, the web application that controls the login page will communicate with the database through a series of planned commands so as to verify the username and password combination. On verification, the legitimate user gets appropriate access.
Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitized (i.e., made invulnerable), and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to the database.
Suppose username is Admin & password is Admin So the query will be
Select id from logins where username =Admin and password =Admin
So if hacker enters username as Admin – -, so query will like this
Select id from logins where username =Admin -- and password =Admin
So SQL will simply neglect query after ‘- -‘ and it will be consider as commented part. OR, if hacker enters password as anything or ‘a’=’a’ so the query will be.
Select id from logins where username =Admin and password =anything or ‘a’=’a’
As the inputs of the web application are not properly sanitized, the use of the single quotes has turned the ‘WHERE’ SQL command into a two-component clause. The ‘a’=’a’ part guarantees to be true regardless of what the first part contains. This will allow the attacker to bypass the login form without actually knowing a valid username/password combination!
Once an attacker realizes that a system is vulnerable to SQL Injection, he is able to inject SQL Query / Commands through an input form field. This is equivalent to handing the attacker your database and allowing him to execute any SQL command including DROP TABLE to the database!
An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to manipulate existing queries, to UNION (used to select related information from two tables) arbitrary data, use subselects, or append additional queries.
In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system. Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures, unfortunately, the impact of SQL Injection is only uncovered when the theft is discovered. Data is being unwittingly stolen through various hack attacks all the time. The more expert hackers rarely get caught.
Firewalls and similar intrusion detection mechanisms provide little defense against full-scale web attacks. Since your website needs to be public, security mechanisms will allow public web traffic to communicate with your database servers through web applications.
Patching your servers, databases, programming languages and operating systems is critical but will in no way the best way to prevent SQL Injection Attacks.