1 / 12

SQL Injection

SQL Injection. What is SQL Injection Different varieties of SQL Injection How to prevent it. What is SQL Injection?. SQL injection is a type of exploit in which attackers add SQL code into web page form input box or into URL’s code to make changes to databases and gain access to resources.

haley
Download Presentation

SQL Injection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SQL Injection What is SQL Injection Different varieties of SQL Injection How to prevent it

  2. What is SQL Injection? • SQL injection is a type of exploit in which attackers add SQL code into web page form input box or into URL’s code to make changes to databases and gain access to resources. • A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet.  SQL injection attacks are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization's host computers through the computer that is hosting the database. (www.webopedia.com)

  3. Note before proceeding • Single quote (‘) is used to end the string part of SQL queries • # tells SQL queries to halt after input

  4. Different varieties of SQL injection • By input form OR • By manipulating URLs • http://homepage.com/login.php?id=2 • ‘; DROP TABLE login;’

  5. By input form • Use to inject • ' OR 1' • Behind the scene • SELECT * FROM usersTb WHERE username = ‘ OR 1’ • Every entries in users table will be selected • What happens? • The OR of 1 will always be true, therefore attacker bypass the selection process

  6. By input form continue… • An ok input $name = “minh”; $queries = “SELECT * FROM usersTb WHERE username = ‘$name’”; • An attacker input $name = “‘ OR 1’”; $queries = “SELECT * FROM usersTb WHERE username = ‘$name’”; • Display SELECT * FROM usersTb WHERE username = '' OR 1'' • Attackers gain access to data since OR 1 will always be true

  7. By input form continue… • More serious attack $ name= "'; DELETE FROM usersTb WHERE 1 or username = '"; $query = "SELECT * FROM usersTb WHERE username = '$name'"; • What it looks like in query SELECT * FROM usersTb WHERE username = ' '; DELETE FROM usersTb WHERE 1 or username = ' '

  8. By URL injection • A simple hyperlink http://homepage.com/login.php?id=2 • By inputting SQL code into the URL ‘; DROP TABLE login; # • You get http://homepage.com/login.php?id=2‘; DROP TABLE login; # • Result Drop the entire table of users

  9. Preventions • Limit the number of fields length • '; DELETE FROM usersTB WHERE 1 or username = ‘ • Data types validation • Use mysql_real_escape_string() • mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. (php.net)

  10. Preventions continue… • The use of mysql_real_escape_string() $name = “‘ OR 1’”; $name = mysql_real_escape_string($name); $queries = “SELECT * FROM usersTb WHERE username = ‘$name’”; • Display SELECT * FROM usersTb WHERE username = '\' OR 1\''

  11. Preventions continue… $ name= "'; DELETE FROM usersTb WHERE 1 or username = '"; $name = mysql_real_escape_string($name); $query = "SELECT * FROM usersTb WHERE username = '$name'"; • Display SELECT * FROM usersTb WHERE username = '\'; DELETE FROM usersTb WHERE 1 or username = \''

  12. References • http://www.learnphponline.com/security/sql-injection-prevention-mysql-php • http://php.net/manual/en/function.mysql-real-escape-string.php

More Related