SQL Injection

SQL Injection SQL Injection SQL Injection SQL Injection SQL InjectionSQL Injection is an attack where an attacker exploits the security loopholes in your application. It is common that the developers take user input and form SQL queries based on the user input. It is fine if the user enters valid input. But if the user enters something malicious, it will be really disastrous. If this user input is not validated, it may cause your SQL statement to execute malicious SQL Commands (SQL Injection) on your database.

SQL Injections can be of many types, some of them may fetch critical data from the database, some others may alter the database schema, drop the tables, insert malicious SQL commands as data in the tables which get executed later, etc. anything you can imagine can be done with SQL Injection.

Consider that you write SQL query to fetch details of a customer based on customer's last name given by the user…

Dim SQL As String = "SELECT * FROM Customers WHERE LastName='" & txtLName.Text & "';"

Now the user is supposed to enter the Last Name of the customer in the textbox named txtLName. If the value in textbox is not validated properly that value may be appended into the string and form a malicious SQL command. If the user enters something like this in the textbox…

            ' UNION SELECT * FROM sysobjects--

Then the query will be…

            SELELCT * FROM Customers WHERE LastName='' UNION SELECT * FROM sysobjects--';

This query is supposed to show details of all customers with last name given in the textbox. But this query will do something malicious. Here concentrate on the user input, the first apostrophe will close the LastName value string and then UNION and the next select retrieves list of all objects in the database. The last two dashes will start a SQL comment so that the apostrophe and semicolon given in the main SQL string become comment and won’t cause an error. This query retrieves details of all the objects present in the database. With this the hacker can come to know which are the different tables, stored procedures, etc in your database.

SQL Injections can do different things like dropping tables, creating tables, execute other types of SQL commands like fetching disk statistics, executing shell commands, etc. SQL Injections can be far more disastrous than it can be imagined.

Possible Solutions
Although preventing SQL Injection is not much difficult, many developers just unknowingly ignore it.  Some of the developers just don't know what SQL Injection means. There are numerous websites that are prone to SQL Injections and hackers always manage to find out such websites to perform SQL Injection attacks for illicit purposes. Following are some of the ways to prevent SQL Injection…
  • Validation – The first and the most important thing is to validate data that the user has entered into the fields provided. This validation should be client side as well as server side.
  • User Privileges – Connect to the database with the user with least privileges sufficient for the purpose. If the user has high privileges, the hacker can exploit them and do almost anything.
  • Custom User – The best way is to create a user with custom privileges required and revoke all other  unnecessary privileges that can be exploited by the hacker.
  • String concatenation – Avoid forming SQL queries with string concatenation, such as taking user input and concatenating it into the WHERE clause, etc.
  • Stored Procedures – Prefer using stored procedures and parameterized queries rather than simple command text.
  • Encryption – Even though we take all the precautions that we could, we cannot always guarantee that we can keep our database and the system 100% safe from hacker. To be ready for such worst cases, try to encrypt critical data. Data such as user login password can be salt hashed and storing them as plain text should be avoided. This would certainly make the intrusion of the hacker more difficult if not impossible.


Post a Comment