Hello
This Is My Tutorial Over "SQL INJECTION" , Hope It Would Help Out Many Out Here.
Basically SQL INJECTION Is A Attack Over Weak Programming And Can Affect Major Over The Databases.
No Lets Jump Out Here:
Consider a Form As Shown below,
http://www25.brinkster.com/vinothbabu/login.asp
The Form Accepts a Username and Password.It Would then Probably Query a database to retrieve some information
Let Us Say that this is a bank database and, hypothetically,it has a table user_id with following
structure shown below:
Username Password AccountNumber
The Account number is used for all transactions, and will be retrived from the table when the user
ebters his username and password.This Would Most Likely be Done By a query Like ...
Select account_number from user_id where
username='spechacker' and password='jamesbond'
Bit What Happens if the user enters his name as spechacker' instead of spechacker??? The Query Now Becomes...
Select account_number from user_id where
username='spechacker'' and password='jamesbond'
This Is an Error And So the Database Server Will Return An Error.This Could Be Something Similar
to What's Shown Below:
Native Error Code:1756
Now From Above We Come Here to state an information....
* We Know that we can managle the query at our will
* We Know the database at the back-end.In this Case It Is Oracle.
Now What If We Entered Our Password As jamesbond' OR 'b' = 'b? The Query Becomes......
Selecr account_number from user_id where
username='spechacker' and passwords= 'jamesbond' OR 'b'='b'
This Is a Valid SQL query. Further, It Will always yield True Since 'b'='b' always Yields True.
Hence This will Result In an Overall true.This Means that You Could Type any password and log in
successfully!
Moving On To Other Possibilities
We Have Seen That Quating Can Wreak All Sorts Of Havoc in the authentication scheme.Another Offending string is the '-'
This Is USed As A Comment In SQL.Now,What If We Entered Our Username As spechacker;-?
The Query Would Be...
Select account_number from user_id where
username=spechacker'- and password='jamesbond'
As You Can See The Entire 'where' clause has been eliminated.In short, no password check is performed!
Furthermore,the ';'(semicolon) character is used in SQL to seperate two queries.While Some Databases
Ignore This Such as Oralce , Others Such As MS SQL2000 And MYSQL Use it.This is by Far the Most Dangerous.By this the
attacker has access to your databases.
A Query Such As..
Select account_number from user_id where username='spechacker';
update balance_table set balance_amnt=87497824 where
user='spechacker'--' and password='jamesbond'
Can Easily Formed By Entering A Username.
spechacker';update balance_table set balance_amnt=87497824 where user='spechacker'--
If The User Were to USe Some Dangerous Query Like Drop Table,You Could be in Real Trouble!
Many Databases Have Commands tht are used to execute Shell Commands.Some Like PostgreSQL,Have
XP_shellexec that can compromise the entire system by running programs such as FTP to get Trojan
Horses.
How To Prevent This Attack ............
1. Escape/Filter Special Characters whereever not required.
Ensure that characters such as' ,;()- are dealt with properly.2. Run the Web Application as the database User with the least Possible privileges.
3. Run The Web Application as An Operating System User with the Least +ve Privileges.
4. Limit the field lengths.No One Will Enter an 80-Character username.
Let us Prevent This Attack And Provide More Security To The Web.
Thanx
Hope This Tutorial Will Surely Help EveryOne In This Board.
Vinoth