SQL Injection

By Amr Saafan Technical, Database, Engineering SQL, SQL Injection, SQL Server 8 Comments

It is a way of hacking on a database driven application in which the hacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet, bypassing the firewall.

SQL injection hackers are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization’s host computers through the computer that is hosting the database.

SQL injection attacks typically are easy to avoid by ensuring that a system has strong input validation.

Example:

This is your query when the user clicks on a Login button in your system

Select [UserName], [Password] From Users Where UserID = 1;

Here is what the hacker would type in the input fields like username textbox:

Select [UserName], [Password] From Users Where UserID = 1;
Drop Table Users;

Never use a direct query from your application to database.

Instead use web services or stored procedures and implement layers such as data access layer and business logic layer, this would protected you against SQL injection.

Comments (8)

Mohammed Shehata Reply

ma shaa Allah, jazakum Allahu khayran 🙂 loved the post, simple enough.

November 4, 2008 at 11:59 AM
Unknown Reply

Thanks Amr

November 4, 2008 at 2:49 PM
Mina Saad Reply

if I insist to use simple queries , is there a work around to not be injected?

November 4, 2008 at 2:57 PM
- Amr Saafan
  
  The only work around that I can think of is to remove all the special characters that you might have in your query. Still I don’t recommend that.
  
  November 5, 2008 at 4:42 PM
Anonymous Reply

Nice post!

November 5, 2008 at 7:09 PM
Unknown Reply

There is a way to use direct SQL commands without using stored procedures, if you are using asp.net, wrap your query variable in SQL Parameter.
If you are using PHP, wrap your query variable in function mysql_escape_string.
This simply converts harmful chars to non harmful chars..

November 13, 2008 at 11:13 AM
Polly Singleton Reply

I have read so many posts concerning the blogger lovers however this article is truly a pleasant paragraph, keep it up.

January 13, 2012 at 8:12 PM
Marcia Schultz Reply

It’s a pity you don’t have a donate button! I’d certainly donate to this superb blog! I suppose for now I’ll settle for book-marking and adding your RSS feed to my Google account. I look forward to new updates and will talk about this site with my Facebook group. Talk soon!

June 13, 2013 at 8:11 PM

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

SQL Injection

SQL Injection

Author

Comments (8)

Leave a Reply Cancel reply

SQL Injection

SQL Injection

Share this post

Author

Comments (8)

Leave a Reply Cancel reply

Related Posts