SQL Injection Attack Primer

Jan 17

SQL Injection Attack Primer

SQL Injection Attacks by Example: This is a fantastic, step-by-step example of a SQL injection attack. If you’ve heard of these, but not quite understood what they are, then read this.

“SQL Injection” is subset of the an unverified/unsanitized user input vulnerability (“buffer overflows” are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it’s straightforward to create some real surprises.

In a nutshell, say you’re running SQL Server, and you form your SQL query like this:

SELECT * FROM passwords WHERE username = '[unsanitized Web form input]'

If someone enters this on your Web form:

whatever' OR 1=1 --

You’re now running this SQL:

SELECT * FROM passwords WHERE username = 'whatever' OR 1=1 --'

With SQL Server, “—” comments out the end of the line, so the server doesn’t even pick up the last apostrophe. Consequenty, this query will return all rows of that table.

Yes this may make my app break, you say, but how can it compromise security? Read the article — they use this exact technique to break into an intranet. It’s a great read for SQL geeks.

Via Joseph Scott.

by Deane January 17, 2005 4:15 PM

tags:

SQL

Comments

by Matthew Turland, January 17, 2005 8:57 PM

OK, seriously... I may be biased towards PHP because I've been using the language for three consecutive years now, but REALLY... has NO ONE heard of magic quotes?

All anyone has to do to get around this is to make sure that quotes are escaped, either with slashes in the case of MySQL, an additional single quote (I think) in SQL Server, or whatever mechanism the SQL server of choice provides for escaping quotes.

I'm sorry, but I've seen this point beat to death over the course of at least a year. It's a really boneheaded mistake that a lot of inexperienced programmers can make and it's one that's not that difficult to fix on a case-by-case basis. Programmers who might do this just need to get into the mindset of not trusting any data that comes from the user.

In short, the horse has had far too many funerals by this point. Quit kicking it, people.

Add Comment

Want to advertise on this site? Contact FM.

"Knows Your Name" Elmo by Martin, 3 minutes ago
Content Management as an API by TonyC, 1 hour, 1 minute ago
Firefox, ALT Tags, and Tooltips by PJ, 2 hours, 26 minutes ago
Firefox, ALT Tags, and Tooltips by PJ, 2 hours, 29 minutes ago
Dome Home Survives Again by Anonymous, 3 hours, 28 minutes ago
LightKeeper Pro Review by Dave Chmela, 3 hours, 45 minutes ago
The 12-Year-Old Spy by PurpleStar, 5 hours, 23 minutes ago
The 12-Year-Old Spy by Charles, 5 hours, 28 minutes ago
Green Any Site by Paul Martin, 7 hours, 51 minutes ago
Helvetica: The Movie by Karla, 10 hours, 30 minutes ago
Show 5 more »

Getting the Google Vote by Deane in 2007
GDrive by Deane in 2007
Contented by Deane in 2006
The Apple iWipe by Dave in 2005
Wells Fargo and Second Life by Deane in 2005
Vocal Smoke Alarm by Deane in 2005
Extension APIs and New Versions by Deane in 2005
The Magic of Google by Deane in 2004
Here's a Lawsuit Waiting to Happen... by Deane in 2004
NNDB by Deane in 2004
All Your Content Are Belong To Us by Deane in 2004
PHP.net URL Shortcuts by Deane in 2004
MSN Spaces - The One-Minute Review by Joe in 2004
New Google Groups by Deane in 2004
Programming PHP at Wikibooks by Deane in 2004
How to Pronounce "Linux" by Deane in 2004
MSN Spaces by Deane in 2004
Error Message Primer by Deane in 2003
Harpers Magazine Re-design by Deane in 2003
The Three Click Rule by Deane in 2003
Indiana Keeps Jobs Home by Deane in 2003
Vanity TinyURL by Deane in 2003
Diluted Spam Messages Revisited by Deane in 2003
Looking Pretty Isn't Enough by Deane in 2003
Segway Revisited by Deane in 2003
Arkansas Has RSS by Deane in 2003
Blog from Email by Deane in 2003
Google AdSense Stats MT Plugin by Deane in 2003
Apple Tablet PC Coming? by Deane in 2003
FatWallet Sues Best Buy Over DMCA Claim by Deane in 2003
Google Algorithm Change by Deane in 2003
Open Source and .Net by Deane in 2003
Micropayment Roundup by Deane in 2003
Show 28 more »

Web Hosting Web hosting, dedicated servers and Web design services

Laser Toner Cartridges UK laser toner, toner cartridges, hp toner, lexmark toner, samsung toner, canon, toner, epson toner, oki toner, kyocera toner, xerox toner, remanufactured toner, compatible toner

Direct TV Deals Free 4 room direct tv deals. no equipment to buy. free fast professional direct tv installation. this is the best direct tv deal available anywhere.

SEO Article Learn from the experts with our SEO article.

rope light Shopping with birddog distributing, inc., gives you access to the lowest prices, the best customer service and the quickest delivery times possible.

Laptop AC Adapter We offer genuine factory direct replacement AC adapters.

Direct TV Best satellite TV deals.

Direct TV Deals Direct TV programming deals are varied and include packages containing from 50 channels up to over 250 channels.

8mm film to DVD Retain family memories with the only frame by frame digital restoration service in the United States for your 8mm film to DVD today

Rubber Stamp Shop for custom self-inking stamps, hand stamps, address stamps, label stamps, check endorsement stamps, check deposit stamps, date stamps, pre inks, pocket stamps, ink and much more!

Gadgetopia