Scribd
Upload
61 views9 pages

SQL Injection Attacks

SQL injection attacks involve inserting malicious SQL statements into user input fields with the goal of manipulating the database. An example showed how entering "blah' OR 'x' = 'x" into a product search could return the entire database table. Even more dangerously, entering "blah'; DROP TABLE prodinfo; --" could delete the entire database table. Defenses include escaping special characters, validating input syntax, limiting input length, scanning for malicious keywords, and restricting database user permissions. While no single measure prevents all attacks, following security best practices makes exploiting SQL injection much more difficult.

Uploaded by

Shubham Gupta
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
61 views9 pages

SQL Injection Attacks

SQL injection attacks involve inserting malicious SQL statements into user input fields with the goal of manipulating the database. An example showed how entering "blah' OR 'x' = 'x" into a product search could return the entire database table. Even more dangerously, entering "blah'; DROP TABLE prodinfo; --" could delete the entire database table. Defenses include escaping special characters, validating input syntax, limiting input length, scanning for malicious keywords, and restricting database user permissions. While no single measure prevents all attacks, following security best practices makes exploiting SQL injection much more difficult.

Uploaded by

Shubham Gupta
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd

SQL INJECTION ATTACKS

- Navneet Gupta

WHAT IS A SQL INJECTION ATTACK?


Many web applications take user input from a form Often this user input is used literally in the construction of a SQL query submitted to a database. For example:

SELECT productdata FROM table WHERE productname = user input product name;

A SQL injection attack involves placing SQL statements in the user input

AN EXAMPLE SQL INJECTION ATTACK


Product Search:

blah OR x = x

This input is put directly into the SQL statement within the Web application:

$query = SELECT prodinfo FROM prodtable WHERE prodname = . $_POST[prod_search] . ;


SELECT prodinfo FROM prodtable WHERE prodname = blah OR x = x

Creates the following SQL:

Attacker has now successfully caused the entire database to be returned.

A MORE MALICIOUS EXAMPLE

What if the attacker had instead entered:

blah; DROP TABLE prodinfo; --

Results in the following SQL:

SELECT prodinfo FROM prodtable WHERE prodname = blah; DROP TABLE prodinfo; --

Causes the entire database to be deleted


Depends on knowledge of table name This is sometimes exposed to the user in debug code called during a database error Use non-obvious table names, and never expose them to user

OTHER INJECTION POSSIBILITIES

Using SQL injections, attackers can:

Add new data to the database


Could be embarrassing to find yourself selling politically incorrect items on an eCommerce site Perform an INSERT in the injected SQL

Modify data currently in the database


Could be very costly to have an expensive item suddenly be deeply discounted Perform an UPDATE in the injected SQL

Often can gain access to other users system capabilities by obtaining their password

DEFENSES

Use provided functions for escaping strings

Many attacks can be thwarted by simply using the SQL string escaping mechanism

\ and \

mysql_real_escape_string() is the preferred function for this Consider:


SELECT fields FROM table WHERE id = 23 OR 1=1 No quotes here!

Not a silver bullet!

MORE DEFENSES

Check syntax of input for validity

Many classes of input have fixed languages


Email addresses, dates, part numbers, etc. Verify that the input is a valid string in the language Sometime languages allow problematic characters (e.g., * in email addresses); may decide to not allow these If you can exclude quotes and semicolons thats good

Not always possible: consider the name Bill OReilly

Want to allow the use of single quotes in names

Have length limits on input

Many SQL injection attacks depend on entering long strings

EVEN MORE DEFENSES

Scan query string for undesirable word combinations that indicate SQL statements
INSERT, DROP, etc. If you see these, can check against SQL syntax to see if they represent a statement or valid user input

Limit database permissions and segregate users


If youre only reading the database, connect to database as a user that only has read permissions Never connect as a database administrator in your web application

FINALLY ALL SAID BUT.

Be careful out there!

You might also like