What is SQL Injection (SQLi)? Basic Concepts and Example!

In this tutorial, you’ll learn about SQL injection (SQLi). I’ll try to cover up everything from very basic.

Introduction!

In this article, I assume that you have no prior knowledge or experience of SQL (and SQLi). So, I’ll first introduce you to the following terms:

  • SQL (Structured Query Language)
  • Databases and Tables
  • Database Management System (DBMS)

About SQL Injection

SQL injection (or SQLi) is an attack wherein an attacker tries to execute his malicious SQL code on target web server.

This vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.

Tables and Databases!

All computer programs and application works with or around the data. This data needs to be stored somewhere so that it can be access and manage anytime.

We can store data in row-column fashion called table (compare it to Excel Sheet). Collection of these related tables is called Database (compare it to Excel Workbook).

Please watch the following videos to have a clear picture of all the basic concepts.

Structured Query Language (SQL)

SQL stands for structured query language. SQL is used to communicate with stored database and tables. We can classify all SQL commands into three broad categories:

  • DDL – Data Definition Language (Used to create and alter table and its structure)!
  • DML – Data Manipulation Language (Used to modify, update or delete data in database)!
  • DCL – Data Control Language (Used to set permissions on tables, procedures, and views)!

These commands are also used by hackers when they find a suitable target for SQL injection.

Database management system (DBMS)

DBMS provides best ways to organize and manage data. They offer more reliability, security and backup compared to any other way of organizing data (such as flat file system).

A database management system also provides several types of SQL commands to perform operation on stores tables and databases.

Examples of DBMS: MySQL, SQLite, Oracle DB, Microsoft Sequel Server etc.

Applications of DBMS: Today, Database Management Systems are used everywhere (as explained in videos) but not limited to:

  • Computer Programs and Software Application,
  • Dynamic Website and Web applications!
  • Hotels, Railway, Airport, Schools, College and Universities!

So, for a Hacker, getting hands into a database means access to all information, content, user names, passwords and everything! BAM!

SQLi Example – How It’s Actually Done?

An SQL injection needs just two conditions to exist – a relational database that uses SQL, and a user controllable input which is directly used in an SQL query.

Let’s take an example of an email service. The following SQL query is generated when you try to login into your email account using username JOHN and password PWD:

SQL Command
 SELECT inbox, outbox, draft FROM email WHERE username=’JOHN’ AND password=’PWD’; 

The above query is sent to backend DBMS. It displays inbox, outbox, draft details when a set of entered username and password matches any record in database.

From the above SQL command you can easily guess that

  • email is the table name in our database
  • inbox, outbox, draft, username and password are columns of email table

Now, an attacker can modify this generated SQL commands with his own set of SQL commands.

SQL Injection E.g. A

One of the ways to change this command is to add customized code in password field: ‘ OR ‘1’=’1.

Now the overall query will be modified to following:

SQL Injection Command
SELECT inbox, outbox, draft FROM email WHERE username=’JOHN’ AND password=’PWD’ OR ‘1’=’1’;

Hacked! Now above command is correct and will gets executed due to the part OR ‘1’=’1′ which is logically always true.

SQL Injection E.g. B

Another way to change the SQL query is to add customized code in username field: ‘; DROP TABLE email;–.

Now the overall query will be modified to following:

SQL Injection Command
SELECT inbox, outbox, draft FROM email WHERE username=”; DROP TABLE email;–‘ AND password=’PWD’;

The first part of the above SQL command might not do much but the other part will surely DELETE the complete email table! Panic!!

How To Know If SQL Injection is Possible?

There is only one way to know if SQL injection is possible or not and that is performing a SQL injection on yourself.

SQLi is usually possible when the user-input is not properly sanitized. If a SQL query inserted into contact forums or search box etc. is sent to SQL engine for execution and it gets executed, SQL successfully, then injection is possible!

There are two methods for testing SQL injection:

  • Manual.
  • Automated/Semi-automated (using Software Tools).

In the manual method, we try to execute our SQL statements by inserting into user input boxes. In automated/semi-automated way, we use already built packages and software to test for SQL injection.

Countermeasures | Protection Against SQLi

Audit security of your website and web application against SQLi attacks. Read our next articles to learn how to perform SQL injection:

  • SQLmap (tutorial, will be published soon)

Primary Defenses:

  • Option #1: Use of Prepared Statements (Parameterized Queries)
  • Option #2: Use of Stored Procedures
  • Option #3: Escaping all User Supplied Input

Additional Defenses:

  • Also Enforce: Least Privilege
  • Also Perform: White List Input Validation

External Resources

Here are few references and external links you’ll find interesting:

Recommended Books

The best choice for those who are looking for a suitable SQLi BOOK:

  • [easyazon_link identifier=”1597499633″ locale=”US” tag=”hnorg-20″]SQL Injection Attacks and Defense, Second Edition[/easyazon_link]

References & Further Readings:

Here are few references and external links you’ll find interesting:

You may also like...