Have you ever heard of the term SQL injection? According to Wikipedia, SQL injection is a code injection technique that exploits a security vulnerability in an application ‘s software. Simply said, SQL injection is a method which you can use to gain database access of a web application. An SQL injection attack can occur in any page of web application which interact with database. For example let’s say you somehow managed to get yourself in a login page of a website, a login form is basically a way for you to execute a certain query for a certain purpose. For example a basic login form usally execute “
SELECT * FROM accounts WHERE username='&username' AND password='&password';” query. The login form is a manner for you to enter your attribute values to replace the
&username variables. Let’s say your login username is “admin” and your password is “adminpass”, the basically when you clicked the login/submit button you will execute “
SELECT * FROM accounts WHERE username='admin' AND password='adminpass';” as your query.
Now, a SQL injection attack is an act of inserting malicious query/code instead of normal attribute values. For example, instead of using valid username and password, I can gain login access by using “
1' OR '1=1'#” as my username and a random password like “1234”. When I clicked the submit button, my query will be “
SELECT * FROM accounts WHERE username='1' OR '1=1'#' AND password='1234';“. Remember in boolean algebra
1 OR 1=1 will return the value of 1 and character # in MySQL is a comment operator which make all query after # will be commented and not executed. So basically my query will always return the value of 1 or TRUE in boolean. Just by using this simple method i can pass the website’s login.
Now, SQL injection can also be used to find out aplication’s database structure by executing false query and learning the error message produced by the database. We can use an automated SQL injection tool such as sqlmap for this. An automated tool will send hundreds of SQL injection query for information gathering and database takeover. I will write a simple tutorial for using sqlmap for this later.
There have been many researches and methods proposed for detecting and preventing SQL injection attacks such as the use of PHP magic quotes and input validation.