Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction The concept of “SQL Injection”

Published byAmbrose Ira Fisher Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction The concept of “SQL Injection”"— Presentation transcript:

1 Introduction The concept of “SQL Injection”
Commands susceptible to injection attacks Some simple code Some security holes Preventing injection attacks

2 SQL Injects – Start wailing...
Assuming you’ve got good security then the ability to make queries to an online database is difficult. A hacker would need to know the name and server location of the database file and some information about the fields used in a Members table in order to run a hack. This could take a long time to guess... Surprisingly, hacking passwords can be done using SQL injection routines on website forms.

3 SQL Injection This kind of attack is not a technological security hole in the Operating System or server software. It depends on the way that a website is developed. Some developers are unaware of this kind of attack and unknowingly develop web applications which open doors for hackers to inject SQL Queries / Commands into the system. To be able to perform SQL Injection hacking, all an attacker needs is a web browser and some guess work to find important table and field names.

4 SQL Injection Once an attacker realizes that a system is vulnerable to SQL Injection, they are able to inject SQL Query / Commands through an input form field. This is equivalent to handing the attacker the Query Browser, allowing him to send any SQL command like SELECT, INSERT, DELETE and DROP TABLE to the database!

5 Here’s a standard login form:
<form method="post" action="login.php"> <input type="text" name="username"> <input type="password" name="password"> </form> And here’s a standard PHP SELECT SQL statement that is built from the user’s input to the form: "SELECT userid FROM Members WHERE username = '$username' AND password = '$password' ";

6 This would build the following SQL SELECT statement:
Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x This would build the following SQL SELECT statement: "SELECT userid FROM Members WHERE username = 'Joe' AND password = 'anything' OR 'x'='x' "; Because the application is just constructing a string, the use of the single quotes has turned the WHERE into a two- component clause. The 'x'='x' part guarantees to be true regardless of what the first part contains. This will allow the attacker to bypass the login form without actually knowing a valid username / password combination!

7 Finding useful information
Most members-only websites contain a link to retrieve a forgotten password If not carefully designed, then these forms are ripe for hacking! Mostly, these forms just consist of a single input box into which you type your address Put this into a “retrieve login details” form and change 'field' to any fieldname (e.g. ): x' OR field LIKE '%harry%

8 Finding useful information
If the field does not exist, you will get an SQL error Otherwise you’ve found a field name! If the user does not exist, you will probably be told that your username is invalid Otherwise, you will get some kind of "We have ed your user details to your address" type message (usually giving the address in the process) Therefore, by trial and error, you can find a valid user address within the table! Now, what can we do with this information?..

9 Using gained information
In SQL Server, Oracle and MySQL we can run multiple SQL statements by using SQL injections: Assuming we have discovered that the field in the database is ‘ ’ and we have found a valid address then we can change their address in the table to ours: x'\; UPDATE Members SET = WHERE =

10 Using gained information
Now we can get hold of their password by simple entering our address into the retrieve password form Scary huh? How about deleting tables? x' UNION DROP TABLE Users;-- This makes use of the SQL comment - - to close off the statement making it valid Surprisingly, MS Access cannot run multiple SQL commands in one go and so paradoxically is safer!

11 Preventing SQL Injections
The best way to defend against SQL injection attacks is: to use “prepared statements” if possible to filter extensively any input that a user can give You should remove everything but the known good data and filter meta characters from the user input Remember to put maxlength attributes on your input boxes but don’t rely on them This helps to ensure that only what should be entered in the field will be submitted to the server

12 Background Reading SQL injection: tion_Prevention_Cheat_Sheet Prepared statements: syntax-prepared-statements.html

Download ppt "Introduction The concept of “SQL Injection”"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
PHP SQL. Connection code:- mysql_connect(server, username, password); Connect to the Database Server with the authorised user and password. Eg $connect.

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.

SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
SQL Injection Timmothy Boyd CSE 7330.

SQL Injection Timmothy Boyd CSE 7330.
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io

Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
PHP Security.

PHP Security.
Introduction To PHP 20 * Introducing the basics of programming * Discovering variables, loops, arrays and conditions * Integrating HTML and PHP Stations.

Introduction To PHP 20 * Introducing the basics of programming * Discovering variables, loops, arrays and conditions * Integrating HTML and PHP Stations.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
Databases with PHP A quick introduction. Y’all know SQL and Databases  You put data in  You get data out  You can do processing on it very easily 

Databases with PHP A quick introduction. Y’all know SQL and Databases  You put data in  You get data out  You can do processing on it very easily 
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.

Similar presentations

Ads by Google