Scribd
Upload
101 views

SQL Injection: Prof. Kirtankumar Rathod Dept. of Computer Science ISHLS, Indus University

This document provides an overview of SQL injection and how to prevent it. It defines SQL injection as malicious code inserted into SQL statements via web page input. This can allow attackers to read sensitive data like usernames and passwords from databases. The document demonstrates how SQL injection works by inserting statements like "1=1", which is always true, to return all rows. It recommends using input validation, prepared statements, and whitelisting to prevent SQL injection by never directly using untrusted user input in SQL queries.

Uploaded by

kirtan71
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
101 views

SQL Injection: Prof. Kirtankumar Rathod Dept. of Computer Science ISHLS, Indus University

This document provides an overview of SQL injection and how to prevent it. It defines SQL injection as malicious code inserted into SQL statements via web page input. This can allow attackers to read sensitive data like usernames and passwords from databases. The document demonstrates how SQL injection works by inserting statements like "1=1", which is always true, to return all rows. It recommends using input validation, prepared statements, and whitelisting to prevent SQL injection by never directly using untrusted user input in SQL queries.

Uploaded by

kirtan71
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 13

SQL INJECTION

Prof. Kirtankumar Rathod


Dept. of Computer science
ISHLS, Indus University
https://www.hacksplaining.com/e
xercises/sql-injection
Demo of SQL injection
What is SQL Injection?
• SQL injection is a code injection technique that might destroy your
database.

• SQL injection is one of the most common web hacking techniques.

• SQL injection is the placement of malicious code in SQL statements,


via web page input.
SQL in Web Pages:
• SQL injection usually occurs when you ask a user for input, like their
username/userid, and instead of a name/id, the user gives you an SQL statement
that you will unknowingly run on your database.

• Look at the following example which creates a SELECT statement by adding a


variable (txtUserId) to a select string. The variable is fetched from user input
(getRequestString):

Example
• txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
SQL Injection Based on 1=1 is Always True
• Look at the example above again. The original purpose of the code
was to create an SQL statement to select a user, with a given user id.
• If there is nothing to prevent a user from entering "wrong" input, the
user can enter some "smart" input like this:
• UserId: 105 or 1=1
• Then, the SQL statement will look like this:
• SELECT * FROM Users WHERE UserId = 105 OR 1=1;
SQL Injection Based on 1=1 is Always True
• The SQL above is valid and will return ALL rows from the "Users" table, since
OR 1=1 is always TRUE.

• Does the example above look dangerous? What if the "Users" table contains
names and passwords?
• The SQL statement above is much the same as this:
• SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;

• A hacker might get access to all the user names and passwords in a database, by
simply inserting 105 OR 1=1 into the input field.
SQL Injection Based on ""="" is Always
True
• Here is an example of a user login on a web site:

• Example
• uName = getRequestString("username");
uPass = getRequestString("userpassword");

sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND
Pass ="' + uPass + '"'
• Result
• SELECT * FROM Users WHERE Name ="John Doe" AND Pass ="myPass"
• A hacker might get access to user names and passwords in a database by simply
inserting " OR ""=" into the user name or password text box:

• Result
• SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""
• The SQL above is valid and will return all rows from the "Users" table, since
OR ""="" is always TRUE.
Here, in this example the query will return all the
values of student name based on the SQL injection
“1=1” which is always TRUE..
How to Prevent an SQL Injection
• The only sure way to prevent SQL Injection attacks is input validation and
parametrized queries including prepared statements.

• The application code should never use the input directly. The developer must
sanitize all input, not only web form inputs such as login forms.

• They must remove potential malicious code elements such as single quotes.

• It is also a good idea to turn off the visibility of database errors on your
production sites. Database errors can be used with SQL Injection to gain
information about your database.
How to Prevent SQL Injections (SQLi) –
Generic Tips
Step 1: Train and maintain awareness
• To keep your web application safe, everyone involved in building the web application
must be aware of the risks associated with SQL Injections. You should provide suitable
security training to all your developers, QA staff, DevOps, and SysAdmins.

Step 2: Don’t trust any user input


• Treat all user input as untrusted. Any user input that is used in an SQL query introduces
a risk of an SQL Injection. Treat input from authenticated and/or internal users the same
way that you treat public input.
Step 3: Use whitelists, not blacklists
• Don’t filter user input based on blacklists. A clever attacker will almost always find a
way to by-pass your blacklist. If possible, verify and filter user input using strict
whitelists only.

Step 4: Adopt the latest technologies


• Older web development technologies don’t have SQLi protection. Use the latest version
of the development environment and language and the latest technologies associated
with that environment/language. For example, in PHP use PDO instead of MySQLi.

Step 5: Employ verified mechanisms


• Don’t try to build SQLi protection from scratch. Most modern development
technologies can offer you mechanisms to protect against SQLi. Use such mechanisms
instead of trying to reinvent the wheel. For example, use parameterized queries or
stored procedures.
Thank you…

You might also like