What is SQL Injection
- SQL Injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command which is executed by a web application, exposing the back-end database.
- A SQL Injection attack can occur when a web application utilizes user-supplied data without proper validation or encoding as part of a command or query.
- The specially crafted user data tricks the application into executing unintended commands or changing data.
- SQL Injection allows an attacker to create, read, update, alter, or delete data stored in the back-end database.
Key Concepts of a SQL Injection Attack
- SQL injection is a software vulnerability that occurs when data entered by users is sent to the SQL interpreter as a part of an SQL query
- Attackers provide specially crafted input data to the SQL interpreter and trick the interpreter to execute unintended commands
- Attackers utilize this vulnerability by providing specially crafted input data to the SQL interpreter in such a manner that the interpreter is not able to distinguish between the intended commands and the attacker’s specially crafted data. The interpreter is tricked into executing unintended command
- SQL Injection attack exploits security vulnerabilities at the database layer. By exploiting the SQL injection flaw, attackers can create, read, modify, or delete sensitive data
A SQL Injection Example
Let’s look at the example code below.
String SQLQuery =”SELECT Username, Salary FROM users WHERE Username=” +userName+” AND Password=” +password+”;
If an attacker provides ‘or 0=0’ as the username and password, then the query will be constructed as:
String SQLQuery =”SELECT Username, SalaryFROM users WHERE Username=” or 0=0” AND Password=” or 0=0”;
since under all circumstances zero will be equal to zero, the query will return all records in the database. In this way, an unauthorized user will be able to view sensitive information.
String SQLQuery =”SELECT Username, SalaryFROM users WHERE Username=” or 0=0” AND Password=” or 0=0”;
Preventing SQL Injection
- if you adopt an input validation technique in which user input is authenticated against a set of defined rules for length, type, and syntax and also against business rules
- Ensure the users permission that access the database have the least privileges. Additionally
- Do not use system administrator accounts like “sa” for Web applications
- You should always make sure that a database user is created only for a specific application and this user is not able to access other applications. Another method for preventing SQL injection attacks is to remove all stored procedures that are not in use
- Use strongly typed parameterized query APIs with placeholder substitution markers, even when calling stored procedures
Import Note:
- Using stored procedures ("prepared statement" instead of using "statement") since they are generally safe from injection. However, be careful as they can be injectable (such as via the use of exec() or concatenating arguments within the stored procedure).
- use frame works like "Hibernate" it's help to prevent you from the Sql Injection since you don't make statement with direct concatenation (native statement) without validation on input.
- use frame works like "Hibernate" it's help to prevent you from the Sql Injection since you don't make statement with direct concatenation (native statement) without validation on input.
No comments:
Post a Comment