This is a series of Security related articles I wrote. This article is the first one.
Introduction
This article was a note about SQL Injection I took about 20 years ago. Last week, in an interview, I was asked what is SQL injection. Therefore, I publish this note as an article.
By wiki, SQL injection started appearing around 1998; for example, a 1998 article in Phrack Magazine. This article will briefly discuss,
- What is SQL injection;
- Simple SQL Injection Example;
- How and Why Is an SQL Injection Attack Performed;
- How to avoid SQL Injection.
A - Defenition
What is SQL Injection:
SQL injection is a form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet, bypassing the firewall.
SQL injection attacks are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization’s host computers through the computer that is hosting the database.
B - Simple SQL Injection Example
Injection example for a client side dynamic SQL
strSql="select * from table where uid='" & strUid & "' and Pwd='" & strPwd & "'"
If given the input:
- strUid = "a' or 1=1 -- "
- strPwd = "any"
the SQL string becomes the following at server:
select * from table where uid='a' or 1=1 -- and Pwd ='any'
This statement will be always correct and get the whole records back from the table.
C - How Is an SQL Injection Attack Performed
The following will cover the usual cases,
- Attackers can use SQL Injections to find the credentials of other users in the database. They can then impersonate these users.
- An SQL Injection vulnerability could allow the attacker to gain complete access to all data in a database server.
- SQL injection also lets you alter data in a database and add new data. For example, in a financial application, an attacker could use SQL Injection to alter balances, void transactions, or transfer money to their account.
- You can use SQL injection to delete records from a database, even drop tables.
- In some database servers, you can access the operating system using the database server. This may be intentional or accidental. In such a case, an attacker could use SQL Injection as the initial vector and then attack the internal network behind a firewall.
D - How to avoid SQL Injection
- In general, a stored procedure is good protection from injection attack, because SP is a compiled code at the server and cannot be changed in order for injection to work while using a command with strongly typed parameters at the client-side, that includes type verification and size limitation, is generally considered sufficient protection to injection for an SP.
- Using a client-side SQL string associated with a command with strongly typed parameters is the same as using SP with strongly typed parameters.
- If using dynamic SP, use EXEC sp_ExecuteSql, instead of EXEC as possible as you can. By sp_executesql, you can get a compiled 'dynamic SQL' with parameters that protect the dynamic SP from the injection.
- For a client-side hardcoded dynamic SQL without using parameters to be protected from the injection, you should at least "Filter out character like a single quote, double quote, slash, backslash, semicolon, an extended character like NULL, carry return, newline, etc, in all strings" --- a lot of work.
Summary
SQL injection (SQLI) was considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security Project. This article is just giving a basic idea of what SQL Injection is, and how it works and to be avoided. Deep discussion could be found in wiki or others.
Reference