SQL injection is defined as a coding technique where attackers can insert SQL commands into an SQL statement in a web page data input. In fact they use a code injection technique to attack data-driven applications, in which malicious SQL statements are injected into an entry field in a web site for execution in order to penetrate a database contents. Let’s see this process by an example. Assume a web form which allows users to insert a name and then receive some information about the user. There is a SQL statement for this process.
Let’s see how vulnerable this code is.
The result of this SQL command is to retrieve a row of the specified name from users_table. Actually SQL injection occurs where there is a condition. In the above command line if user enters a valid name then a record will pull up for that name. Imagine instead of inserting a valid name for the field of name, attackers enter something like ‘ ‘ or ‘a’ = ‘a’. The command line will change to this:
SELECT * FROM users_table WHERE name = ‘ ‘ or ‘a’=’a’;
The condition is always true because the value of ‘a’=’a’ is true. It means the attacker can access to all records of the table. (Here for example users_table).
Ok let’s see this issue in another way. When we make comment lines: (All lines have a space at the end)
‘ OR ‘a’=’a’
‘ OR ‘a’=’a’ /* ‘
If one of comments be used, therefore the result can be like this:
SELECT * FROM users WHERE name = ‘ ‘ OR ‘a’=’a’
It means whatever is after ; will be automatically ignored.
For example if there is an authentication at the end of the command, attackers can pass it by making it as comment line.
Or let’s see what happen if an attacker uses multiple statements:
…or ‘1’=’1′ ;DROP TABLE users_table;
SELECT * FROM users WHERE name = ‘ ‘ OR ‘a’=‘a’; DROP TABLE users_table;
All data from users_table will be revealed then the rest of statement will delete users_table simply. Although most SQL server implementations allow multiple statements to be executed with one call in this method, some SQL APIs such as PHP’s mysql_query(); function do not allow this for security reasons. This prevents attackers from injecting entirely separate queries, but doesn’t stop them from modifying queries. Injected SQL commands can alter SQL statement and compromise a vulnerable security of a web application. Keep in touch for more discussion.