Friday, December 26, 2008

What is SQL Injection

Today I want to show you detail of SQL Injection in a simple definition SQL Injection is "An attack technique used to exploit web sites by altering back end SQL statements through manipulating application input."
SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.
This are some special character in the SQL statement.
1) (;) The semicolon (;) denotes the end of one query and the start of another.
2) (--)The double hyphen (--) indicates that the rest of the current line is a comment and should be ignored.
3) (/*Some Thing Here*/) Comment delimiters. Text between /* and */ is not evaluated by the server.
4) (') Character data string delimiter.

Now how this will happen, this is important to know.
1)Suppose your page code display search record according to the user name
string userName="shakti"
SELECT * FROM TABLE1 WHERE NAME = '" + userName + "';"
This SQL code is designed to pull up the records of a specified username from its table of users. Now I am changing userName variable value one by one and check the result;
However, assume that the user enters the following:
string userName="shakti'; DROP TABLE TABLE1"
now SQL become
Now the result of above query in first select record according to the search criteria and then It will delete the table from the database,therefore, you must validate all user input and carefully review code that executes constructed SQL commands in the server that you are using.
Preventing SQL Injection
To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, parametrized statements must be used (preferred), or user input must be carefully escaped or filtered.
This article is based on the SQL Security that you must implement in your website.
  • It is best to use stored procedure or parametrized statements.
  • Never build Transact-SQL statements directly from user input.
  • Input data must be in correct format.
  • The “sa” account or other privileged accounts that are members of the “sysadmin” or “db_owner” roles are not used for application logins.
  • Connection string must be encrypted and must be stored in a secure location.
  • Try to use multi layer project,based on business logic and other security classes.
SQL Injection Attack Example
String query = “SELECT * FROM users WHERE USERNAME= ‘“ + name + “’ PASSWORD= ‘“ + password + “’”

Enter user name: 1’ OR ‘1’ = ‘1
Enter password: 1’ OR ‘1’ = ‘1
SELECT name FROM users WHERE name = ‘1’ OR ‘1’=‘1’ password = ‘1’ OR ‘1’=‘1’
What above query does ,it return a row means user is able to access our security issue without login.Seems interesting.

For security above code must be in c#
using (SqlCommand myCommand = new SqlCommand("SELECT * FROM USERS WHERE USERNAME=@username AND PASSWORD=HASHBYTES('SHA1', @password)", myConnection))
myCommand.Parameters.AddWithValue("@username", user);
myCommand.Parameters.AddWithValue("@password", pass);

SqlDataReader myReader = myCommand.ExecuteReader())
If you want to learn more about SQL Injection then please knock MSDN.



0 Responses to "What is SQL Injection"

Copyright 2009 All Rights Reserved Shakti Singh Dulawat