SQL Injection

Learn what SQL Injection is, how it is achieved, and how to defeat it.

Attacking by injecting code to the structured query language.

Episode # 4-01 available on : Youtube Vimeo 

Released: September 14, 2013

SQL Injection is a big problem with the internet, you can do tons of damage, and steal millions of accounts in this way. Today, learn what it is, how it is done, how it can be avoided, and how to know when you are dealing with amateurs.

What is SQL injection?

SQL commands are written in a very predictable fashion. This makes them vulnerable to manipulation from cross site scripting, and other forms of attacks. And, because the entire SQL query can be made entirely from variables from the GET, POST, HEADER, COOKIE and REQUEST super globals, this makes it entirely possible for anyone to compromise a portion or the entirety of databases that web-sites run from. Furthermore, even if you run SQL queries in read-only mode until you need to manipulate the database, it is possible to trick the query into giving the entire table, or database itself, revealing all the data available to the web-site.

How is SQL Injection achieved?

There are plenty of ways to achieve SQL injection attacks, but the most common requirement is knowing the table and row names. Like most other kinds of hacks, knowledge of the target is required. It is possible to guess, however, not everyone names things the same way.

Okay, besides knowledge of the database, how do we injection malicious code? We must engineer the variables to take advantage of the query in a way that benefits us, the hacker. If we know where in the query the variable is, we can modify it to using the variable to introduce new unintended functionality in the code, like emailing the database like below.

SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x';
UPDATE members
SET email = 'steve@unixwiz.net'
WHERE email = 'bob@example.com';

The variable email was represented by:

UPDATE members
SET email = 'steve@unixwiz.net'
WHERE email = 'bob@example.com';

There are three ways of preventing this kind of attack. Limit most queries to read-only modes. In MYSQLi, this means setting up two database variables, one with read-only functionality, the other having for read/write functionality, which should only be used for registration and updating of various data sets. In this case, a user with one email had his email changed, and now the malicious user can now attempt to use the lost password form. Two other ways of preventing this kind of attack include validating the field's contents, like applying a rule for email addresses, or using other types of alphanumeric rules. You can, also, add slashes, or escape the string.

Is using the form the only way to attack the web-site's database to get the data?

No. You may use the GET, POST, HEADER, COOKIE and REQUEST super globals to attack the web-site, meaning that you have to sanitize ALL inputs in your web-site, regardless of the type. If the variable can be changed, it must be sanitized. If you are trying to save sometime and want to blanket validate all variables, you can use a form of PHP like below.

foreach ($_GET as $key=>$value) {
$_GET[$key] = stripslashes($_GET[$key]);
$_GET[$key] = mysqli_real_escape_string($con, $_GET[$key]);

The super global GET can be exchanged for anything you need it for, to make sure you code is safe. This set of code is created for MYSQLi with a PHP5+ environment.

Now, I promised that I would explain how we are dealing with amateurs, at least when it comes to database creation, and code construction. It is relatively easy.

If you are having a web-site created for you, and doesn't ask the abilities of your server such as types of usable encryption, hashing, etc... then that is a clue.

If you have user accounts, and the program doesn't suggest using SSL to prevent account hijacking via sessions, then you have a problem.

And, more importantly, if the programmer believes that sensitive database variables don't need to be encrypted because you use SSL, fire him.

While encrypting everything may tax your server and cause a potential DDOSing accident from just having too many people logging in, you should iteratively hash all passwords, secret answers, etc.... You should use the strongest encryption available to you to protect all credit card information, addresses, etc...

Next week, I will explain what is, and how to iteratively hash correctly. I'll, also, explain how to prevent hash collisions in the process, how to prevent accidental DDOSing in the process.

Remember to like this episode if you were interested in today's topic, share if you think someone else could benefit from the topic, and subscribe if you want to learn more. For the show notes of this episode and others, for more information on other ways to subscribe to our show, to subscribe to our weekly newsletter, and how to participate by submitting your questions, comments, suggestions, and stories, head over to TQAWeekly.com.

Host : Steve Smith | Music : Jonny Lee Hart | Editor : Steve Smith | Producer : Zed Axis Productions

Sources & Resources

CommentsLogin or Register to post comment

Be the first to comment on this episode.

Posted by ask
September 14, 2013



html text

View previous campaigns.

Powered by MailChimp

Latest Comments

Completely Erased

It should remove all traces of the virus, provided the hard drive has no bad sectors on it. It it does, you the mentioned Spinrite to try to fix the hard drive then run DBAN after, but usually, DBAN can erase the entire drive without issue. I've used it on maximum and let it run almost 16 hours on my friends computer, that is why this episode exists.

Completely Erased

Great! I am going to run 'autonuke' on a machine that has polymorphic malware, not sure if it is in the MBR or somewhere else on the machine. Assuming autonuke runs fully without any error, will it remove the malware from the computer with certainty?

Completely Erased

Yes, it will wipe all data, including the master boot record on your hard drive. If you are unable to get DBAN to work correctly, consider using Spinrite to fix the drive so DBAN can work, rarely needed, good to have.


Log Into TQA Weekly

Register | Lost Password?