SQL injection

SQL injection is a malicious code infiltration mechanism that uses a computer vulnerability that contains an application at the input validation level to execute certain queries against a database . The source of the vulnerability lies in the incorrect checking and / or filtering of the variables used in a program that contains, or generates, SQL code .

Summary

[ hide ]

  • 1 Description
  • 2 Examples
  • 3 Ways to avoid SQL injection attacks.
  • 4 Sources

Description

An SQL injection is said to exist or occurred when, in some way, invasive SQL code is inserted or “injected” into programmed SQL code , in order to alter the normal functionality of the application and thus get the code to run embedded “invader” in the database .

This type of intrusion is usually malicious, harmful or spy, so it is a computer security problem, and must be taken into account by the application programmer in order to prevent it. A program made with carelessness or ignorance of the problem may turn out to be vulnerable, and the security of the system ( database ) may be compromised eventually. The intrusion occurs during the execution of the vulnerable program.

The vulnerability can occur automatically when a program “carelessly assembles” an SQL statement at runtime, or during the development phase, when the programmer makes the SQL statement to be run unprotected. In any case, whenever the programmer needs and makes use of parameters to be entered by the user, in order to consult a database ; since, precisely, within the parameters is where the intruding SQL code can be incorporated. When the query is executed in the database, the injected SQL code will also be executed and could perform multiple operations on the application, such as inserting records, modifying or deleting data, authorizing accesses by violating authentication forms, and even executing other types of malicious code on the computer .

Examples

Ex: 1

This example demonstrates a possible login violation without knowing the password. // data is received

$ us = $ _POST [ ‘user’ ];

$ pass = $ _POST [ ‘pass’ ];

// the query is built (without first filtering or cleaning the data) this is the vulnerable

$ sql = “SELECT * FROM users WHERE user = ‘ $ us ‘ AND password = ‘ $ pass ‘” ;

//…

if ( mysql_fetch_array ( $ exc )) {

echo  “Login successful” ;

}

This is the typical password verification system. Use the mysql_fetch_array statement (mysql function, which returns false if there is no result, in the ‘querry’, or request), so if there is no result where the username and password match, the result is false

How to make it return ” ‘true’ ” and allow to enter?

  • With the correct password.
  • Injecting malicious code.

Injecting code … something like this would be done:

This is the request that only passes if the password is known

SELECT  *  FROM  users  WHERE  user  =  ‘$ us’  AND  password = ‘$ pass’

Now, how can you make it return ” ‘true’ ” even if the password is not known, knowing that only $ pass and $ us can be modified? With a little creativity: The form introduces:

  • User: yosba
  • password: ‘OR =’

The SQL statement will receive:

SELECT  *  FROM  users  WHERE  user  =  ‘yosba’  AND  password = ”  OR  ” = ”

It will return true , if there is any result, and since NOTHING is always equal to NOTHING, it will return ” ‘true’ ”, and this ignores the programmer’s ignorance of this system and enters without credentials.

Other possible values ​​that return true are:

  • user: yosba AND / * password: * / = ‘
  • user: ‘OR 1 = 1 //

Ex: 2

There is a parameter “username” that contains the username to query, an SQL injection could be caused in the following way: The original and vulnerable SQL code is:

query  : =  “SELECT * FROM users WHERE name = ‘”  +  username  +  “‘;”

If a name is written, for example “Jorge”, nothing abnormal will happen, the application would generate an SQL statement similar to the following, which is perfectly correct, where all the records with the name “Jorge” would be selected in the database:

SELECT  *  FROM  users  WHERE  name  =  ‘Jorge’ ;

But if an intruder writes as the username to consult:

Jorge ‘; DROP TABLE users; SELECT * FROM data WHERE name LIKE ‘ %

The following SQL query would be generated:

SELECT  *  FROM  users  WHERE  name  =  ‘Alice’ ;

DROP  TABLE  users ;

SELECT  *  FROM  data  WHERE  name  LIKE  ‘%’ ;

In the database the query would be executed in the given order, all the records with the name ‘Jorge’ would be selected, the table ‘users’ would be deleted and finally the entire table ‘data’ would be selected, which should not be available for common web users. In summary, any data in the database can be made available to be read or modified by a malicious user.

Ex: 3 When parameters are received by the ” ‘GET_ []’ ” method and the variables are not correctly filtered: In this case, the id parameter with value 4 is passed to the uno.php file to select that record: <a href=”uno.php?id=4″> News 4 </a> …

$ result  =  mysql_query ( “SELECT * FROM A TABLE WHERE id =” . $ _GET [ ‘id’ ]);

$ row  =  mysql_fetch_row ( $ result );

… This would be vulnerable, so if someone knowing the name of a table does something like this:

http://tusitio.cu/uno.php?id=1%20UNION%20DROP%20TABLE%20UNATABLA

What would actually happen ?: The following query would be executed:

SELECT  *  FROM  UNATABLA  WHERE  id = 1  UNION  DROP  TABLE  UNATABLA ”

where you first select a record and then delete the entire table.

Ways to avoid SQL injection attacks.

Important: What to do to avoid these errors? SQL injection is easy to avoid, by the programmer, in most programming languages ​​that allow developing web applications. It is highly recommended to always validate the data correctly, preventing users from entering characters such as \ / “’or any other that do not correspond to the requested data. Ex: 1 In the PHP language, there are different functions that can counteract attacks by SQL injection. For MySQL, the function to use is mysql_real_escape_string :

$ query_result  =  mysql_query ( “SELECT * FROM users WHERE name = \” ”  .  mysql_real_escape_string ( $ username )  .  ” \ ” ” );

Also with str_replace (“x”, “‘”, $ var) Also with $ var = htmlentities (addslashes ($ var)); // For each var, although by default the addslashes is implicit in the PHP config.

Ex: 2 Encrypting the passwords:

$ user = $ _POST [ “user” ];

$ pass = $ _POST [ “pass” ];

 

//…

 

$ pass = md5 ( $ pass );  // We encrypt it.

$ sql  =  “SELECT * FROM users WHERE user = ‘ $ user ‘ AND against = ‘ $ pass ‘” ;

Assuming that the encrypted password is stored in the Database; Before placing the pass parameter in the query, we encrypt it, so that if a malicious person entered an ‘OR’ ‘=’ the pass parameter would be ‘OR’ ‘=’ but when encrypting it it would be like d20da3888278ec814f6a837f260b60df, then the generated query would be like:

SELECT  *  FROM  users  WHERE  user = ‘yosba’  AND  contra = ‘d20da3888278ec814f6a837f260b60df’

And not what the intruder intended:

SELECT  user ,  against ,  type  FROM  users  WHERE  user = ‘yosba’  AND  against = ” OR ” = ”

 

Leave a Comment