SQL Injection

1
SQL Injection

• DO NOT ATTEMPT sql injection other than on our
  leda server in the examples that I have built or
  you build yourself
• It is ILLEGAL to crack someones password,
• Perpetrators could face jail time

2
SQL Injection

• Server side scripts use data from the users in
  order to build sql statements
• select from properties where price lt 300000
• In the example above, 300000 is supplied by the
  user

3
Careless Coding

• sql select from properties where price lt
  _POSTprice
• In the example above, the user supplied data in
  the text field named price in the form that is
  being processed

4
Careless Coding

• A hacker could exploit this vulnerability by
  injecting sql code in the data, since it becomes
  part of an sql statement
• For example, the hacker could try to guess the
  name of a table (properties) with this data
• 300000 and ( select count() from properties ) gt
  1

5
Careless Coding

• The sql query becomes
• select from properties where price lt 300000
  and ( select count() from properties ) gt 1
• The syntax is correct and the query will be
  processed if there is a table named properties in
  our database

6
SQL Injection

• Once the hacker has the name of the table
  (properties), he/she could guess the name of a
  column (city) with this data entry
• 300000 and ( select count() from properties
  where city ) gt 1

7
SQL Injection

• SQL injection is not limited to just numbers
• Even if the data input is a string, the hacker
  could attempt sql injection
• select from properties where city Baltimore
• In the example above, Baltimore is supplied by
  the user

8
Careless Coding

• sql select from properties where city
  _POSTcity
• In the example above, the user supplied data in
  the text field named city from the form that is
  being processed
• Note the single quotes around _POSTcity

9
Careless Coding

• Again, a hacker could exploit this vulnerability
  by injecting sql code in the data, since it
  becomes part of an sql statement
• For example, the hacker could try to guess the
  name of a table (properties) with this data
• Baltimore and ( select count() from properties
  ) gt 1 --

10
Careless Coding

• The sql query becomes
• select from properties where city Baltimore
  and ( select count() from properties ) gt 1 --
• Everything after is a comment in SQL
• The user input is shown in red the last from
  our code is commented out by the user

11
SQL Injection

• Different programming languages (Perl, PHP, Java,
  ..) may or may not have built-in defenses against
  sql injection
• DO NOT trust input, in particular user input
• You MUST validate any input that becomes part of
  an sql query

12
SQL Injection Prevention

• If you expect a number, add 0 to the input (and
  test)
• price _POSTprice
• price price 0

13
SQL Injection Prevention

• If you expect a string, escape and other
  characters (and test)
• city _POSTcity
• city mysql_real_escape_string( city )
• If you want to go further, you can test for the
  presence of sql keywords (select, where, from,
  ..) in the string provided by the user

14
SQL Injection Prevention

• An sql injection attack can come from other
  places than a form
• Example url with a query string typed directly
  into the browser
• ? Do not trust input ALWAYS validate input that
  will be used to build an sql statement, no matter
  where the data comes from

15
Password encryption

• Passwords in databases should be encrypted with a
  one way hash function such as md5 or sha1
• You can also use a combination of both for
  stronger encryption

16
SQL Injection

• DO NOT ATTEMPT sql injection other than on our
  leda server in the examples that I have built or
  you can build yourself
• It is ILLEGAL to crack someones password,
• Perpetrators could face jail time