473,378 Members | 1,360 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes and contribute your articles to a community of 473,378 developers and data experts.

SQL Injection Attack

Frinavale
9,735 Expert Mod 8TB
SQL Injection Attack
A database is a collection of information organised in such a way that allows computer programs to access data (even large amounts) quickly and easily. Data within a database is organised into tables, which contain records/rows of fields. A field contains the actual data used by the program.

Relational Database Management Systems (RDBMS or sometimes just DBMS) allow users the ability to access and manipulate data within databases. They are also used to run reporting and analysis tools. System administrators use them to secure and maintain databases. Some common RDBMSs include MySQL, Oracle, and MS-SQL.

SQL stands for Structured Query Language (generally pronounced as Sequel). It is the language used to issue commands to an RDBMS in order to retrieve or manipulate data. These commands can also be issued to manipulate the database structure itself. A SQL Injection attack exploits security vulnerabilities within the parts of an application's code responsible for taking input from a user and sending it, as part of a SQL string, to the RDBMS.

In order to store or retrieve information from the database, an application may dynamically create a SQL string to issue as a query. The SQL string is compiled by the RDBMS and then executed as a command. For example, the SQL string "SELECT * FROM AddressBook WHERE FirstName = 'John'" will result in the RDBMS returning all of the records from the table named AddressBook that have a FirstName field with the value of 'John'.

It may be that a first name is requested from the user, which is then added into the string to create the full SQL string required. EG. If the user is prompted for a first name which is then put into the string, the string is built up as :
Expand|Select|Wrap|Line Numbers
  1. "SELECT * FROM AddressBook WHERE [FirstName]='" + {first name from user here} + "'"
A SQL Injection attack occurs when a user enters SQL commands into an application instead of the intended value. For example, in this case, when the program prompts the user to enter a value for the first name, they might enter something like :
Expand|Select|Wrap|Line Numbers
  1. a'; DELETE * FROM [OverduePayments] WHERE [AccountNo]='MyAccountNo';
This might ensure that a banking system forgets all your overdue mortgage payments. When the application creates the SQL string to access the database based on the user's input, the user's SQL commands are injected along with it. The RDBMS then compiles this resultant SQL string into a command and executes it. This results in the malicious user's command being executed along with the legitimate application command, allowing the malicious user unfettered access to the database.

In order to protect your applications against this form of attack, applications should implement strong validation on all user input before any queries are executed. Also, any data that may be used in SQL query creation should be stripped of harmful SQL commands. It is only necessary to remove any quotes from the data to strip user input of harmful SQL commands. Literal text values (What is required from the user in this example) are surrounded by quotes when used in a SQL string. Generally, this refers only to single-quotes ('), but most versions of Access will work with double-quotes (") just as happily. It is therefore advisable to remove all quotes from the input before attempting to use it to form the SQL string. Without a quote in the input, it will all be treated as data and is therefore quite safe.

Another means to protect against this type of attack is by utilizing stored procedures. Stored procedures are precompiled SQL commands that reside in the RDBMS. When a SQL query is provided by a program to the RDBMS in the form of a SQL string, the SQL is first compiled by the RDBMS into a command before it is executed. Stored procedures are already compiled, therefore they use fewer resources; but more importantly, the injected SQL will not be compiled to become part of the SQL instruction (It remains in the SQL, but just as data). Stored procedures also provide extra security, in that the database user can be further restricted to utilizing specific stored procedures.

Chapple, M. (2007). SQL Server Stored Procedures.
Feb 19 '09 #1
2 11138
NeoPa
32,556 Expert Mod 16PB
A more flexible approach, rather than removing all quotes from entered strings, is to double them up.
The example entered above :
Expand|Select|Wrap|Line Numbers
  1. a'; DELETE * FROM [OverduePayments] WHERE [AccountNo]='MyAccountNo';
would be converted to :
Expand|Select|Wrap|Line Numbers
  1. a''; DELETE * FROM [OverduePayments] WHERE [AccountNo]=''MyAccountNo'';
The intention is still clear, but it is rendered quite harmless by this technique.
Feb 5 '10 #2
NeoPa
32,556 Expert Mod 16PB
A VBA function (MS Access specific) for handling this would be :
Expand|Select|Wrap|Line Numbers
  1. Option Compare Database
  2. Option Explicit
  3.  
  4. Public Function SafeSQL(strArg As String) As String
  5.     SafeSQL = Replace(strArg, "'", "''")
  6. End Function
This would be incorporated into a Standard (not class of any form) Module.
In the code to create the SQL string you might use something like :
Expand|Select|Wrap|Line Numbers
  1. If DCount(Expr:="*", _
  2.           Domain:="[tblSecurity]", _
  3.           Criteria:="[UserName]='" & SafeSQL(Me.User) & "' AND " & _
  4.                     "[Password]='" & SafeSQL(Me.Password) & "'") > 0 Then
  5. ...
Jun 2 '10 #3

Sign in to post your reply or Sign up for a free account.

Similar topics

7
by: joshsackett | last post by:
All, I am trying to test an attack against a web page. The VBScript runs 2 queries against the database; the first must succeed before the second runs. Here is the code: 1st- select * from...
6
by: Sati | last post by:
Hi All, Does anyone know how to clean a asp application from a virus that converts labels with the word 'Insurance' into link button to a web page. It also injects text in the textbox when the...
1
by: sati | last post by:
Thanks.. Since my last post, I have identified a few more facts on this case. This code injection occurs in the client browser. The Web server seems to be sending correct page. So far, I have...
5
by: TCORDON | last post by:
What is the best way to protect a site against it? Does anyone have a RegEx to help validate user input? TIA!
4
by: ss | last post by:
hi, can anybody gives me a sample code where the sql injection attack is validated. how can i do that in business logic layer and pass the error to the presentation tier I want the sample...
2
sashi
by: sashi | last post by:
hi everyone, Below is a simple function that will give you some protection against an SQL Injection attempt. what is SQL injection? SQL injection is a security vulnerability that occurs in...
1
by: Doug | last post by:
Hi, I have a question on sql injection attacks. I am building a tool that will be used exclusively by our other developers and will generate stored procs for them dynamically based off input...
16
by: shank | last post by:
- - - - - - - - - IIS Log File Entry - - - - - - - - - - - - - - - - GET /sresult.asp...
16
by: ChipR | last post by:
Since we're talking about filters, make sure you also use a filter for semicolons (at the minimum) on any input that is going directly into an SQL statement to prevent your entire database from being...
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
0
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
0
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
0
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
0
BarryA
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
0
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.