SQL Injection
SQL injection is a technique where hacker can inject SQL commands into an SQL statement, via web
page.Injected SQL commands can compromise the security of a website.
SQL Injection
Based on 0=0 is Always True
Let's say that the original
purpose of the code was to create an SQL statement to select a user with a
given Emp_id.
Emp_id: 112
or 0=0
SELECT *
FROM Emp_Details WHERE
Emp_id = 112 or
0=0
The SQL above is valid. It will return all rows from the table, as WHERE
0=0 is always true.
SQL Injection
Based on ""="" is Always True
Here is a public construction,
used to verify user login on a web page:
User Name:
Password:
The Final Statement will be
UserName = request.form("UserName");
Pass = request.form ("UserPass");
sql=" SELECT * FROM Emp_Details WHERE UserName ='" + UserName + "' AND PassWord ='" + Pass + "'"
Pass = request.form ("UserPass");
sql=" SELECT * FROM Emp_Details WHERE UserName ='" + UserName + "' AND PassWord ='" + Pass + "'"
Hackers might get access to user names and passwords in a
database by simply inserting “or ""=" into the user name or
password text box.
The code at the server will create a valid SQL statement like
this:
SELECT * FROM Emp_Details WHERE UserName =""
or ""=""
AND PassWord ="" or
""=""
The result SQL is valid. It will return all rows from the
table Users,since WHERE ""="" is always true.
SQL Injection
Based on Batched SQL Statements
Most databases support batched
SQL statement, separated by semicolon.
e.g.
SELECT * FROM Emp_Details ; DROP TABLE EmpLoginDetails
The SQL above will return all rows in the Emp_Details table, and then delete EmpLoginDetails table.
If we had the following server code:
UserName = request.form("UserId");
txtSQL = " SELECT * FROM Emp_Details WHERE UserName = " + UserName;
txtSQL = " SELECT * FROM Emp_Details WHERE UserName = " + UserName;
And the following input:
User Name: 105; DROP TABLE EmpLoginDetails
The code at the server would create a valid SQL
statement like this:
SELECT *
FROM Emp_Details WHERE UserName = 105; DROP TABLE EmpLoginDetails
Parameters for
Protection
The only way to protect a web page
from SQL injection, is to use SQL parameters. SQL parameters are values that
are added to an SQL query at execution time, in a controlled manner. The SQL engine checks each parameter to ensure that it
is correct for its column and are treated literally, and not as part of the SQL
to be executed.
UserName = request.form("UserId");
sql = " SELECT * FROM Emp_Details WHERE UserName = @a";
command = new SqlCommand(sql);
command.Parameters.AddWithValue("@a", UserName);
command.ExecuteReader();
sql = " SELECT * FROM Emp_Details WHERE UserName = @a";
command = new SqlCommand(sql);
command.Parameters.AddWithValue("@a", UserName);
command.ExecuteReader();
