What is an SQL injection attack?
Archive - Originally posted on "The Horse's Mouth" - 2005-08-02 11:33:17 - Graham EllisIt's where an unauthorised user enters illegal data that gets placed into an SQL command, with the purpose of changing the meaning of that SQL command. For example, you might use the SQL query
SELECT count(id) FROM user where uname = "xxxxxx" and pword = "yyyyy"
to validate a user name and password pair when someone logs in to your application, replacing the xxxxxx and yyyyy with the information the person enters on a form. In testing, that will work fine for you, but if your user were to complete the form so that:
xxxxxx becomes hack" or 1 = 1 -- "
yyyyy becomes anything
then returned values will be greater than 0 ... probably allowing an unauthorised login.
How come there's this problem? This is what the command that's run has become:
SELECT count(id) FROM user where uname = "hack" or 1 = 1 -- "" and pword = "anything"
Anything after the -- sign is treated by most SQL engines as a comment (so the password is unchecked) and every line will match because 1 always equals 1!
Can you prevent this problem in your applications? Yes, absolutely, if you know of the potential problems and do something to avoid them. This isn't going to be a complete paper on SQL security, but you'll do well to start by \ protecting any " and ' characters that the user enters ... that way, your query will say "literally a " " or "literally a ' " rather than anything more dangerous.