SQL Injection Attack

What is SQL injection?

SQL injection is a hacking technique which attempts to pass SQL commands through
a web application for execution by a backend database. This is one of the most
common application layer attacks currently being used on the Internet. The
technologies vulnerable to this attack are dynamic script languages like ASP,
ASP.NET, PHP, JSP, CGI, and so on.

To be able to perform SQL Injection hacking, all an attacker needs is a web browser
and some guess work to find important table and field names. This is why SQL
Injection attacks are so popular.

This kind of attack is not a technological security hole in the Operating System or
server software, but rather it depends on the way that a website is developed. Some
developers are unaware of this kind of attack and unknowingly develop web
applications which open doors for hackers to inject SQL Queries / Commands into the
system.

Any web page which passes parameters to a database can be vulnerable to SQL
Injection hacking. Usually these vulnerabilities are present in Login forms, Forgot
Password forms, etc…

What an attacker can do if your site is vulnerable

Once an attacker realizes that a system is vulnerable to SQL Injection, he is able to

inject SQL Query / Commands through an input form field. This is equivalent to
handing the attacker the Query Browser, allowing him to send any SQL command like
SELECT, INSERT, DELETE and DROP TABLE to the database!

Whether an attacker is able to see the data stored on the database or not, depends
on how the website is coded to display the results of the queries sent. What is
certain is that the attacker will be able to execute arbitrary SQL Commands on the
vulnerable system, either to compromise it or else to obtain information.

What an attacker gains access to also depends on the level of security set by the
database. The database could be set to restrict to certain commands only. A read
access normally is enabled for use by web application back ends. So even if an
attacker is not able to modify the system, he would still be able to read valuable
information.

Example of a SQL Injection attack

Here is a sample basic HTML form with two inputs, login and password.

<form method="post" action="login.php">

<input type="text" name="username">
<input type="password" name="password">
</form>

The easiest way for the login.php to work is by building a database query that looks
like this:
"SELECT id
FROM logins
WHERE username = '$username'
AND password = '$password'";

If the variables $username and $password are requested directly from the user's
input, this can easily be compromised. Suppose that we gave "Joe" as a username
and that the following string was provided as a password: anything' OR 'x'='x

"SELECT id
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'";

Because the application is not really thinking about the query, but just constructing a
string, the use of the single quotes has turned the WHERE into a two-component
clause. The 'x'='x' part guarantees to be true regardless of what the first part
contains.

This will allow the attacker to bypass the login form without actually knowing a valid
username / password combination!

How to check for SQL injection vulnerabilities

The best way to check whether your web site & applications are vulnerable to SQL
injection attacks is by using a Web Vulnerability Scanner. A Web Vulnerability
Scanner crawls your entire website and automatically checks for vulnerabilities to
SQL Injection attacks. It will indicate which URLs/scripts are vulnerable to SQL
injection attack so that you can fix the vulnerability easily. Besides SQL injection
vulnerabilities a web application scanner will also check for Cross site scripting &
other web vulnerabilities.

The Acunetix Web Vulnerability Scanner scans for SQL injection, Cross site scripting,
Google hacking and many more vulnerabilities. For more information & a trial
download click here.

Preventing SQL Injection attacks

The best way to defend against SQL injection attacks it to filter extensively any input
that a user can give. One should "remove everything but the known good data" and
filter meta characters from the user input. This will ensure that only what should be
entered in the field will be submitted to the server.

Check if your website is vulnerable to attack

Get a free security audit performed by Acunetix staff using Acunetix Web
Vulnerability Scanner. Acunetix will scan your website simulating numerous hacking
techniques such as SQL injection, cross site scripting, Google hacking and more, in
order to identify vulnerabilities in your website. After the scan has completed, you
will receive a summary report indicating what - if any - vulnerabilities exist on your
site.