SQL Injection Tutorial: Prevent Attacks, Vulnerability Cheat Sheet

SQL Injection Tutorial: Learn About SQL Injection Vulnerabilities and Prevention

SQL Injection Defined

SQL Injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command which is executed by a web application, exposing the back-end database. SQL Injection attacks can occur when a web application utilizes user-supplied data without proper validation or encoding as part of a command or query. The specially crafted user data tricks the application into executing unintended commands or changing data. SQL Injection allows an attacker to create, read, update, alter, or delete data stored in the back-end database. In its most common form, SQL Injection allows attackers to access sensitive information such as social security numbers, credit card number or other financial data. According to Veracode’s State of Software Security Report SQL Injection is one of the most prevalent types of web application security vulnerability.

Key Concepts of SQL Injection

SQL injection is a software vulnerability that occurs when data entered by users is sent to the SQL interpreter as a part of an SQL query
Attackers provide specially crafted input data to the SQL interpreter and trick the interpreter to execute unintended commands
Attackers utilize this vulnerability by providing specially crafted input data to the SQL interpreter in such a manner that the interpreter is not able to distinguish between the intended commands and the attacker’s specially crafted data. The interpreter is tricked into executing unintended commands
SQL injection exploits security vulnerabilities at the database layer. By exploiting the SQL injection flaw, attackers can create, read, modify, or delete sensitive data

Explaining SQL Injection

With over 20% of all web vulnerabilities being attributed to SQL Injection, this is the 2nd most common software vulnerability and having the ability to find and prevent SQL injection should be top of mind for web developers and security personnel. In general, a SQL Injection attack exploits a web application which does not properly validate or encode user-supplied input and then uses that input as part of a query or command against a back-end database. For example, a typical form may ask for a ID and create a URL: http://www.somewebsite.com/id/id.asp?id=somedata. An attacker using SQL Injection may enter "somedata or 1=1". If the web application does not properly validate or encode the user-supplied data and sends it directly to the database, the reply to the query will expose all ids in the database since the condition "1=1" is always true. This is a basic example, but it illustrates the importance of sanitizing user-supplied data before using it in a query or command.

SQL Injection Video

A SQL Injection Example

Let’s look at the SQL example given below.
sql injection

You will notice that user input is required to run this query. The interpreter will execute the command based on the inputs received for the username and password fields.

If an attacker provides ‘or 0=0’ as the username and password, then the query will be constructed as:
String SQLQuery =”SELECT Username, Password FROM users WHERE Username=” or 0=0” AND Password=” or 0=0”;
sql injection

Since under all circumstances zero will be equal to zero, the query will return all records in the database. In this way, an unauthorized user will be able to view sensitive information.

Preventing SQL Injection

SQL injection can be prevented if you adopt an input validation technique in which user input is authenticated against a set of defined rules for length, type, and syntax and also against business rules.
You should ensure that users with the permission to access the database have the least privileges. Additionally, do not use system administrator accounts like “sa” for Web applications. Also, you should always make sure that a database user is created only for a specific application and this user is not able to access other applications. Another preventive measure is to remove all stored procedures that are not in use.
Use strongly typed parameterized query APIs with placeholder substitution markers, even when calling stored procedures
Show care when using stored procedures since they are generally safe from SQL injection. However, be careful as they can be injectable (such as via the use of exec() or concatenating arguments within the stored procedure).

SQL Injection Cheat Sheet

The SQL Injection Cheat Sheet provides a summary of everything you need to know about SQL Injection. The SQL Injection Cheat Sheet contains the key concepts of SQL Injection and a SQL Injection example and tips for prevention of SQL Injection attacks.

SQL Injection