SQL Injection Attacks
13
SQL Injection Attacks By Komal Arora
-
Upload
compare-infobase-limited -
Category
Technology
-
view
3.811 -
download
1
description
Transcript of SQL Injection Attacks
SQL Injection Attacks
ByKomal Arora
How a dynamic website works...
Programming Language in the Front-end and DATABASE in the backend.
Queries are used to store or retrieve data
How do we make a secure Dynamic website?
Javascript Validations....Server side validations.....No script tags should be allowed....
AndAvoid SQL injections....
What is a SQL Injection ATTACK?
Many web applications take user input from aForm
• Often this user input is used literally in theconstruction of a SQL query submitted to adatabase. For example:
– SELECT productdata FROM table WHEREproductname = ‘user input product name’;
• A SQL injection attack involves placing SQLstatements in the user input
An Example SQL Injection Attack
Product Search: blah‘ OR ‘1’ = ‘1'
• This input is put directly into the SQL statementwithin the Web application:
– $query = “SELECT prodinfo FROM prodtable WHERE prodname = ‘” .$_POST[‘prod_search’] . “’”;
Creates the following SQL:
– SELECT prodinfo FROM prodtable WHERE prodname = ‘blah‘ OR 1x1 = 1x1
– Attacker has now successfully caused the entire database to bereturned.
Another exampleWhat if the attacker had instead entered:– blah‘; DROP TABLE prodinfo;
• Results in the following SQL:
– SELECT prodinfo FROM prodtable WHERE prodname = ‘blah’; DROP TABLEprodinfo; --’
– Note how comment (--) consumes the final quote
• Causes the entire database to be deleted
– Depends on knowledge of table name– This is sometimes exposed to the user in debug code called during adatabase error– Use non-obvious table names, and never expose them to user
Other injection possibilities
Using SQL injections, attackers can:
– Add new data to the database
• Selling someone else's items on an eCommerce site• Perform an INSERT in the injected SQL
– Modify data currently in the database
• Could be very costly to have an expensive item suddenly bedeeply ‘discounted’• Perform an UPDATE in the injected SQL
– Often can gain access to other user’s systemcapabilities by obtaining their password
Defenses
Check syntax of input for validity
Do not allow problematic characters (e.g., ‘*’ ,'=' inuser input)• If you can exclude quotes and semicolons that’s good
– Not always possible: consider the name Bill O’Reilly
• Have length limits on input
– Many SQL injection attacks depend on entering longstrings
More...
Scan query string for undesirable wordcombinations that indicate SQL statements
– INSERT, DROP, etc.– If you see these, can check against SQL syntax tosee if they represent a statement or valid user input
• Limit database permissions and segregate users
– If you’re only reading the database, connect todatabase as a user that only has read permissions– Never connect as a database administrator in yourweb application
Configure database error reporting
– Default error reporting often gives away information that isvaluable for attackers (table name, field name, etc.)– Configure so that this information is never exposed to a user
• If possible, use bound variables
$sth = $dbh->prepare("SELECT email, userid FROM members WHEREemail = ?;");$sth->execute($email);
How we can do it in CodeIgniter?
Escaping Queries
It's a very good security practice to escape your data before submitting it into your
database.
mysql_real_escape_string() calls MySQL’s library function mysql_real_escape_string,
which prepends backslashes to the following characters: \x00, \n, \r, \, ‘, ” .
Examples...
$this->db->escape() This function determines the data type so that it can escape only string data. It also automatically adds single quotes around the data so you don't have to:$sql = "INSERT INTO table (title) VALUES(".$this->db->escape($title).")";
$this->db->escape_str() This function escapes the data passed to it, regardless of type. Most of the time you'll use the above function rather than this one. Use the function like this:$sql = "INSERT INTO table (title) VALUES('".$this->db->escape_str($title)."')";
$this->db->escape_like_str() This method should be used when strings are to be used in LIKE conditions so that LIKE wildcards ('%', '_') in the string are also properly escaped.$search = '20% raise';$sql = "SELECT id FROM table WHERE column LIKE '%".$this->db->escape_like_str($search)."%'";
Query Bindings
Bindings enable you to simplify your query syntax by letting the system put the queries together for you. Consider the following example:
$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";
$this->db->query($sql, array(3, 'live', 'Rick'));The question marks in the query are automatically replaced with the values in the array in the second parameter of the query function.
The secondary benefit of using binds is that the values are automatically escaped, producing safer queries. You don't have to remember to manually escape data; the engine does it automatically for you.
