Definition
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.
There are many forms of vulnerability which is :-
1. Incorrectly filtered escape character
- occurs when user input is not filtered for escape characters and is then passed into an SQL statement. This results in the potential manipulation of the statements performed on the database by the end user of the application.
2. Incorrectly type handling
- occurs when a user supplied field is not strongly typed or is not checked for type constraints. This could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric.
3. Vulnerabilities inside the database server
- MySQL server's mysql_real_escape_string() function. This would allow an attacker to perform a successful SQL injection attack based on bad Unicode characters even if the user's input is being escaped.
4. Blind SQL injection
- used when a web application is vulnerable to SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered.
Magic code / words for SQL Injection.
|
|
| hi' or 1=1-- | ' or 'a'='a | ' or 1=1-- | " or 1=1-- |
|
|
| or 1=1-- | ' or 'a'='a | " or "a"="a | ') or ('a'='a |
Protection from SQL Injection
Set parameters are either strings or integers and the form input is all text.
1. if magic quotes is on run strip slashes.
2. if its an integer convert to integer type.
3. if its a string replace
4. Remove special characters not needed like = and ; (any others?)
5. use the sscape function for mysql.
6. quote variables in the query string.
7. use double quote
8. avoid dynamic SQL
9. validate all input
10. principle of least privilege
For more details, click link below :-
No comments:
Post a Comment