September 5, 2010 at 5:51 am
Hi,
What is the use of SQL Injection?
Is it meant by attacking the database to misbehave?
Can any one tell me where it is used?
September 5, 2010 at 6:09 am
SQL Injection is used by hackers in an attempt to steal or damage a company's data. It is usually a result of poor programming using dynamic sql constructs. Not that dynamic sql itself is bad, just that many developers don't properly protect the code they write from SQL Injection.
September 5, 2010 at 6:46 am
Can you give me any example how to do it in real?
September 5, 2010 at 6:57 am
to add to Lynn's reply, it's not just bad coding. More often it's a blatant misuse of priveleges. I have seen many cases of elevated privileges. Even one website which connected as SA to the database server, with the username and password in clear text in the web.config file!!! :w00t:
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" π
September 5, 2010 at 6:59 am
chandrasekaran.ganapathy (9/5/2010)
Can you give me any example how to do it in real?
Hereβs a very simplistic case:
You have a field to enter a user name and password.
The underlying web screen code concatenates this into a sql command to send to the database to see if you have access.
The sql command is supposed to look like:
Select * from users where name = 'myname' and password = 'mypassword'
Well, if the user enters into the name field the following line:
Myname' or 1=1--
This becomes:
Select * from users where name = 'myname' or 1=1 --' and password = 'mypassword'
This ends up returning all fields from the users table, because regardless of whether the name matches a name is the table, the 1=1 condition will always be true. And, the double dashes remarks out the rest of the line, so a password check is never performed.
Once they know they have access, they can then enter for a user name:
Myname' or 1=1;select * from sys.tables;--
The semi-colons separate different commands. So, the select * from sys.tables will be run, and will generate a list of all of the tables in the database.
So the hacker sees one called CustomerInfo. Guess what (s)he does?
Myname' or 1=1;select * from CustomerInfo;--
Now, all of the customer information can be displayed for the hacker. And all your customers will soon be victims of identity theft attempts.
Will you ever know this happened? Not likely.
How do you defend against it? Besides having the input data validated, you donβt build and run sql commands at the client level; instead you use stored procedures and pass parameters to it.
The stored procedure will look like:
CREATE PROCEDURE dbo.IsValidLogin (@username varchar(20), @password @varchar(20), @Return bit OUTPUT)
AS
SET @Return = 0;
IF EXISTS (Select * from users where name = @username and password = @password) set @Return = 1;
GO
If they put in anything, it will be encapsulated into the PARAMETER, and there wonβt be a username that matches βMyname' or 1=1--β. They wonβt see anything.
Wayne
Microsoft Certified Master: SQL Server 2008
Author - SQL Server T-SQL Recipes
September 5, 2010 at 7:46 pm
Sooooo... now that we've taught someone how to accomplish SQL Injection, I have to ask... will he use it to avoid injection or carry out revenge on some unsuspecting company? π
--Jeff Moden
Change is inevitable... Change for the better is not.
September 5, 2010 at 8:09 pm
Jeff Moden (9/5/2010)
Sooooo... now that we've taught someone how to accomplish SQL Injection, I have to ask... will he use it to avoid injection or carry out revenge on some unsuspecting company? π
Sort of why I stayed away from actually showing him how SQL Injection works. There are blogs and articles that do hat if you look for them.
September 5, 2010 at 8:17 pm
Lynn Pettis (9/5/2010)
Jeff Moden (9/5/2010)
Sooooo... now that we've taught someone how to accomplish SQL Injection, I have to ask... will he use it to avoid injection or carry out revenge on some unsuspecting company? πSort of why I stayed away from actually showing him how SQL Injection works. There are blogs and articles that do hat if you look for them.
I really did think twice about this... but if you look at the examples, they also depend on the web site displaying the information. While certainly possible, it is probably looking for a success/fail, and not displaying all the information that is being streamed back. I really wanted to get to a point where I could show how to prevent it, like the last code sample does.
Wayne
Microsoft Certified Master: SQL Server 2008
Author - SQL Server T-SQL Recipes
September 5, 2010 at 8:58 pm
WayneS (9/5/2010)
Lynn Pettis (9/5/2010)
Jeff Moden (9/5/2010)
Sooooo... now that we've taught someone how to accomplish SQL Injection, I have to ask... will he use it to avoid injection or carry out revenge on some unsuspecting company? πSort of why I stayed away from actually showing him how SQL Injection works. There are blogs and articles that do hat if you look for them.
I really did think twice about this... but if you look at the examples, they also depend on the web site displaying the information. While certainly possible, it is probably looking for a success/fail, and not displaying all the information that is being streamed back. I really wanted to get to a point where I could show how to prevent it, like the last code sample does.
My problem with the question is that OP seems to think that it is a valid programming technique, not something to be defended against. If the conversation turned more that direction, then I would have been more open to showing more.
September 6, 2010 at 3:04 am
Guys,
the remaining point is permissions. SQL injection is possible because of main 2 issues.
Bad code
misuse of permissions
The following
Myname' or 1=1;drop table dbo.customers;--
would not work if the account connecting to the database had only read access to the tables. OK, the website is allowing this back door in the first place but if permissions were properly granted the drop would fail. So many times i see systems where developers have 'ticked' every single box on the permissions list to get something working!!!!
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" π
September 6, 2010 at 8:54 am
Good point Perry.
Wayne
Microsoft Certified Master: SQL Server 2008
Author - SQL Server T-SQL Recipes
September 6, 2010 at 9:08 am
incidentally Wayne, although i do sort of agree with Jeff and Lynn,
"all pirates should find their own treasure"
i do think that you presented well to the OP.
(i hope i dont get the pork chop treatment here, sorry Jeff π )
At the end of the day he could find that info anywhere without too much trouble. I would have preferred you too touch on permissions a little more though as i think these are the root of all evil!
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" π
September 6, 2010 at 9:43 am
How would a hacker get to see a web.config file?
How can you not show passwords in a web.config file for the account which is accessing a database?
September 6, 2010 at 9:53 am
sku370870 (9/6/2010)
How would a hacker get to see a web.config file?
possibly many avenues to achieve this on an unsecured server
sku370870 (9/6/2010)
How can you not show passwords in a web.config file for the account which is accessing a database?
by encrypting your connection strings in the web.config file!
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" π
September 6, 2010 at 2:15 pm
Perry Whittle (9/6/2010)
incidentally Wayne, although i do sort of agree with Jeff and Lynn,"all pirates should find their own treasure"
i do think that you presented well to the OP.
(i hope i dont get the pork chop treatment here, sorry Jeff π )
At the end of the day he could find that info anywhere without too much trouble. I would have preferred you too touch on permissions a little more though as i think these are the root of all evil!
Heh... not to worry, gents. I was just making an observation. No pork chops here for anyone especially since all the info is so readily available in other places. I just think it's funny that someone would ask what the "use" of SQL Injection was instead of asking how to prevent it. Probably just a language barrier thing... I hope...
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 15 posts - 1 through 15 (of 22 total)
You must be logged in to reply to this topic. Login to reply