Summary -
In this topic, we described about the below sections -
SQL Injection is a type of code injecting web hacking technique. By using SQL Injection attacker may know the sensitive data that is unable to read like customer private details, passwords, credit card bills etc.. by inserting code from web page input. Attacker may hack the web application by using SQL Injection, which is used SQL database like MySQL, ORACLE, POSTGREL. In some cases attacker may destroy the database also. Attacker may process or manipulate data like UPDATE, INSERT, DELETE data in the database.
SQL Injection Examples
The various ways of SQL Injection attacks and techniques are explained as follows –
Let us consider below table(s) as an example table(s) to frame the SQL query for getting the desired results.
employee_details -
emp_id | emp_name | designation | manager_id | date_of_hire | salary | dept_id |
---|---|---|---|---|---|---|
001 | Employee1 | Director | 2019-07-11 | 45000.00 | 1000 | |
002 | Employee2 | Director | 2019-07-11 | 40000.00 | 2000 | |
003 | Employee3 | Manager | Employee1 | 2019-07-11 | 27000.00 | 1000 |
004 | Employee4 | Manager | Employee2 | 2019-10-08 | 25000.00 | 2000 |
005 | Employee5 | Analyst | Employee3 | 2019-07-11 | 20000.00 | 1000 |
006 | Employee6 | Analyst | Employee3 | 2019-10-08 | 18000.00 | 1000 |
007 | Employee7 | Clerk | Employee3 | 2019-07-11 | 15000.00 | 1000 |
008 | Employee8 | Salesman | Employee4 | 2019-09-09 | 14000.00 | 2000 |
009 | Employee9 | Salesman | Employee4 | 2019-10-08 | 13000.00 | 2000 |
Retrieving hidden data – In this attacker modify the SQL query to get additional data from database.
If we want to show the emp_id is 002 details only by keeping all rows in privacy, attacker can use following query to get all employees information. The query was as follows –
SELECT * FROM employee_details WHERE emp_id = 2 OR 1 = 1;
Attacker can also use the following query also
SELECT * FROM employee_details WHERE emp_id = emp_id;
By executing above query we can know the all details of all employees because 1=1 is always TRUE and then it returns all details from table.
Subverting application logic – In this attacker can modify the query, to change the logic of the application.
Let us consider when we need to specify a particular employee detail in query that employee details will returned in result set, But attacker can use the following query to get the all employees details without mentioning any one correct field details. The query was as follows -
SELECT * FROM employee_details WHERE emp_id = '' or '' = '';
By executing above query, attacker get all details of employees because '' = '' is always true.
UNION attacks – In this attacker can get details from another table also which is in the same database.
SELECT emp_name,designation,dept_id FROM employee_details
UNION all
SELECT dept_name,dept_location,dept_id FROM department_details;
By executing above query, attacker get details from department_details table also ike as shown in below –
emp_name | designation | dept_id |
---|---|---|
Employee1 | Director | 1000 |
Employee2 | Director | 2000 |
Employee3 | Manager | 1000 |
Employee4 | Manager | 2000 |
Employee5 | Analyst | 1000 |
Employee6 | Analyst | 1000 |
Employee7 | Clerk | 1000 |
Employee8 | Salesman | 2000 |
Employee9 | Salesman | 2000 |
Office | Location1 | 1000 |
Sales | Location2 | 2000 |
Blind SQLi attack – This extremely dangerous attack. By using this attacker can ask TRUE or FALSE questions. In this attacker cannot see the information of web application, But attacker can modify the structure of the database by knowing the nature of database. In Blind SQLi information cannot transferred through the attacker from web application.
Prevention of SQL Injection
We can prevent SQL Injection on web application by using parameterized queries. Parameterized queries are used, when uncertain input's are appeared in SQL query of WHERE clause and INSERT and UPDATE statements of values. Parameterized queries cannot handle untrusted input's in the names of columns and tables or in the ORDER BY clause also. The parameters represents the values, that are used in the execution of the query. The parameters are nothing but placeholders which are holding values. @ is used to represent the parameter in the SQL statement. SQL engine search for each parameter to ensure that it is correct or not for that column.