Tuesday, August 5, 2014

SQL Injection

SQL Injection as the name suggests is about injecting SQL via web page input fields. It's quite common in web applications to allow users to enter inputs for various fields. A malicious user can take advantage of that if the SQL commands on the back end are not properly handled.

Let's looks into what are different kinds of SQL attack and then we will see how to handle such situations so that our application does not becomes the victim of someone's malicious intents.

SQL Injection by putting an extra query
Let's say we have a search field name and this will be used to search the list of users based on name. Now for searching the SQL query written on the back end is:

"Select * from users where name = '" + searchString + "'";

Here searchString is the String passed from front end as specified by user. A malicious user can enter a String like

lalit';delete from users where '1'='1

The SQL command that will be fired to database will be

Select * from users where name = 'lalit';delete from users where '1'='1'

The records in the users table vanishes in the thin air.

If the search is done for a numeric and their is not validation on the type of input

"Select * from users where id= " + searchId;

The job becomes much easier. The malicious user has to just enter

1;delete from users

or for that matter

1; drop table users

SQL Injection to fetch records which are not accessible

This is again a variation of above kind. For example we can get all the records from the users table by putting the following in search box

SQL command 

"Select * from users where name = '" + searchString + "'";

User enters   

lalit' or 1=1;

Because of true or condition all the records will be returned.

How to keep yourself safe from SQL Injection
  • The golden rule is to use parametrized query . Parametrized query handles the parameters properly. 
  • You can put other restrictions in place like connecting to database with a user with minimum authorities.
  • Put validations in place on the front end.

No comments:

Post a Comment