According to the OWASP – Open Web Application Security Project – a SQL injection attack, or SQLi, is when you can insert a SQL query to the database from the client-side 1OWASP, 2016, SQL Injection.. Right now this is one of the biggest threats to web security (the biggest on the OWASP top 10 of 2017) among other attacks2OWASP, Top Ten 2017 Projects.
Basically, this is how it is performed3acunetix, What is SQL Injection (SQLi) and How to Prevent It.:
- This is possible on vulnerable inputs that attackers have access to.
- An input is vulnerable when uses its value directly in an SQL query.
- Malicious SQL commands can be created and executed using these inputs.
- This vulnerable query is called dynamic query.
It is kind of obvious but these are some of the Immediate consequences from an SQLi attack4acunetix, What is SQL Injection (SQLi) and How to Prevent It.:
- credentials of other users are exposed.
- Information is compromised.
- databases can be dropped.
Here we have a basic example of a vulnerable dynamic query5w3schools.com, SQL Injection.
txtUserId = getRequestString("UserId"); txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
In this case, there is no validation before using the value in the query itself, and that’s what makes it dangerous and vulnerable. Therefore, if the user-attacker write something like
user ID: 10 OR 1=1 then the final query would look something like this:
`SELECT * FROM Users WHERE UserId = 105 OR 1=1;`
This query will be always true, and as a result, it will return all the rows from the ‘Users’ column.
How to prevent an SQLi attack?
There are multiple ways to prevent this sort of attacks, the most recommended is not to use dynamic queries, instead of that, you should parameterize the query before executing it. Every language has its own approach, for instance, in PHP there is something called PDO (PHP Data Objects) and it would look something like this6php.net, Prepared statements and stored procedures.:
<?php $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)"); $stmt->bindParam(':name', $name); $stmt->bindParam(':value', $value); $name = 'one'; $value = 1; $stmt->execute(); ?>
For more information about SQL Injection attacks please visit the sources below.
References [ + ]