What is an SQL Injection Attack?
Posted by Jon Lee in Web Development, tags: double-quotes, hacking, MySQL, PHP, security, single-quotes, SQL, SQL-Injection, web development
Database security is a huge issue. Having your database compromised is about the worst thing that can happen to a web developer; especially if it contains sensitive user information (passwords, credit card numbers, e-mail addresses etc.). Even if you store your confidential data securely, you don’t want anything to be accessible to anyone but yourself. SQL injection attacks are a common vulnerability that many beginning programmers fall victim to.
What is it?
In PHP/MySQL, an SQL injection attack is performed by submitting a particular string through a form that causes your SQL query to behave differently than expected. For example, say you have a login form that checks a username/password combination with a database using a simple SQL query:
SELECT * FROM users WHERE username = ‘$input_username‘ AND password = ‘$input_password‘
where $input_username and $input_password are submitted values taken from the login form. So if there is a person with username “admin” and password “secret”, when you enter “admin” and “secret” into the login page, the query becomes:
SELECT * FROM users WHERE username = ‘admin‘ AND password = ‘secret‘
The query will indeed find a row with these values and thus will log the user in. The problem arises when an unauthorized user enters “admin” as the username and something like this as the password: ‘ or 1=1
The query then becomes:
“SELECT * FROM users WHERE username =’admin‘ AND password = ‘‘ OR 1=1
This will find a matching row no matter what the username is. The single quote entered as part of the password is added into the query statement and is treated as a closing single quote as opposed to being part of the password. And since 1=1 is always true, your unauthorized user is now logged in as “admin” without knowing the password.
This is a very basic version of an SQL injection attack but it gives a good illustration of how it works. You’d be surprised how often this works due to poor code implementation. Just last month, it was reported that the Nokia Canada administration site was open to the simple SQL injection attack described above. Needless to say, many people were able to access it and change product information across the site. I’m sure someone got fired over it.
Read part 2 – How to Prevent an SQL Injection Attack
Popularity: 2% [?]
Entries (RSS)