Wednesday, April 7, 2010

How SQL Injection works

The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed.
A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata.
When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.The injection process works by terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the crook terminates the injected string with a comment mark "--". Subsequent text is ignored at execution time.
Example:-

SELECT * FROM Shipments where tracking_id = '@tracking'

Where @tracking is a variable passed . Under normal circumstances, this may function perfectly normal. For example, if a user enters the tracking number 1A2123ZC2, the corresponding query would be:

SELECT * FROM Shipments where tracking_id = '1A2123ZC2'

Our assumption is that the user will only enter a valid tracking number. Malicious individuals are not likely to be so cooperative. Suppose that the user instead enters the string shown below in the tracking number field:

1A2123ZC2' or true

The corresponding query will now be:

SELECT *
FROM Shipments WHERE tracking_id = '1A2123ZC2' OR TRUE

This will have the unintended consequence of retrieving all of the tracking information stored in the database. If the user enters the following string:

'1A2123ZC2'; DELETE FROM Shipments

This would cause the database to execute the following query:

SELECT *
FROM Shipments WHERE tracking_id = '1A2123ZC2';
DELETE FROM Shipments

This will have the clearly undesirable result of deleting all of the tracking information from the database.

0 Responses to “How SQL Injection works”

Post a Comment

Disclaimer

The ideas, thoughts and concepts expressed here are my own. They, in no way reflect those of my employer or any other organization/client that I am associated. The articles presented doesn't imply to any particular organization or client and are meant only for knowledge Sharing purpose. The articles can't be reproduced or copied without the Owner's knowledge or permission.