SQL Injection is the exploitation of a vulnerability in relation to SQL databases, which is caused by lack of masking or revise any meta-characters in user input. The attacker tries, on the application that provides access to the database to inject their own database commands.
The attacker is possible with a successful attack, spy data, changing its meaning to remove or, as well as to gain control of the server.
SQL injections are possible when data is sent such as user input to the SQL interpreter. Because user input may contain characters that have the SQL interpreter, special functions, allowing outside influence to the running database commands. Such meta characters in SQL, for example \ „ ‘ and ;
Often such gaps in CGI scripts and programs can be found, enter the data as Web content or e-mails in SQL databases. If such a program before the masking is not correct, an attacker can inject the selective use of other characters function SQL commands or manipulate the queries so that additional data be altered or issued. In some cases, there is also the possibility to get access to a shell, which means in most cases the possibility to compromise the entire server.
If user input is not only lacking or masked, can be manipulated to the database by the end user of the application, the queries:
Statement = “SELECT * FROM users WHERE name = ‘” + username + “‘;”
This query is designed so that the records of the specified user names are read out. However, if the variable userName modified in a certain way, is the SQL statement much more harm. If the variable userName such as ‘ or ’1′=’1 used, or ‘ or ’1′=’1′;– with comments the rest of the query block, the result is the following SQL statement
SELECT * FROM users WHERE name =”OR ’1 ‘= ’1′, – the rest of the query
If this code is used for authentication, database, this example would be a valid user name from the select, for ’1′ = ’1′ is always true.
It works naturally with passwords. Let us take a user name, such as admin, and leave us the password, again with the string ‘ or ’1′=’1 from the database spend:
SELECT * FROM users WHERE name = ‘admin’ AND user_pwd =”OR ’1 ‘= ’1′;
So we log in as admin, all rights and can do what we want.
The following input would table the users and delete all data in the table userinfo read, if an API is used, which allows multiple statements.
a ‘; DROP TABLE users; SELECT * FROM userinfo WHERE’ t ‘=’ t
This input would generate this SQL statement:
SELECT * FROM users WHERE name = ‘a’; DROP TABLE users; SELECT * FROM userinfo WHERE ‘t’ = ‘t’;
Most SQL Server implementations support multiple statements on a call, a few, such as PHP’s mysql_query() to prevent, for security reasons.
An important countermeasure is to meta-characters in user input to filter out or mask (ESCAP). This allows the risk of SQL injections alleviated or even eliminated.
The safest way is to keep the data from the SQL interpreter. This bound parameters in use Prepared statements. The data are passed as parameters to an already-compiled command. The data are not interpreted and thus prevents SQL Injection.
Example in PHP:
<? Php $ Query = "SELECT col1 FROM table WHERE column2 = '". $ _POST [' Spalte2Wert ']."' "; $ Query = mysql_query ($ query) or die ("Database query failed"); ?>
The query should be used:
<? Php $ Query = "SELECT col1 FROM table WHERE column2 = '". mysql_real_escape_string ($ _POST ['spalte2Wert']). "'"; $ Query = mysql_query ($ query) or die ("Database query failed"); ?> ?>
SQL Injections should not be underestimated in any case, by lack of filtering or masking data can be read, manipulated or deleted. At worst, the attacker reached even control of the server. Here, the counter-measures are more difficult to implement. Many frameworks already escaping automatically so that the web developer does not have to worry about first.