SQL Injection

SQL Injection

What is SQL Injection

In this article I will tell you very basics of SQL Injection, how it works and how to get prevented from this attack. SQL Injection is still the most common technique used by hackers to compromise database and sometimes even whole server. Though there have been many techniques to get secured from this attack and many research papers out there but still this vulnerability is being found in many popular CMS.

How It Works

Lets take a very basic example of SQL Injection and then I will discuss about how to get prevented from this vulnerability.

So we have a SQL Injection vulnerable login form that takes UserName and PassWord from user and database server authenticates if it is valid or not.

Web Form

So what a normal is supposed to submit? He will simply submit his/her valid username or password.

For example the user inputs is,

Username = noman

Password = noman123

Then query will simply searches the table users where username is "noman" and password is "noman123", if such data exist in database, the access will be granted.

Now here what actually hacker will do to get access to user "noman" account? He will use following username and password to get access.

Username = noman

Password = x'='x

Now what this query will do? Let us put these values in query.

SELECT * from users WHERE name='noman' AND password=' x'='x ';

This Query will search the username 'noman' in name column and instead of searching query x'='x in password field, it will see the Query as

'x'='x'

So it is a true statement and database server will return boolean TRUE and thus access will be granted.

How To Prevent SQL Injection

The basics of SQL Injection prevention is to properly filter the user’s input before sending it to database. Prepared statements are yet supposed to be the best technique to prevent SQL Injection attacks. Prepared statements as by name shows that there are prepared queries so an attacker’s Query will be neglected and only those queries will be entertained which were built in or prepared. You can see reference PDO – Prepared Statements.

Expert in PHP, Wordpress and Web Security Analyst