SQL injection

SQL injection

It is a way of hacking on a database driven application in which the hacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet, bypassing the firewall.

SQL injection hackers are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization’s host computers through the computer that is hosting the database.

SQL injection attacks typically are easy to avoid by ensuring that a system has strong input validation.

Example:

This is your query when the user clicks on a Login button in your system

Select [UserName], [Password] From Users Where UserID = 1;

Here is what the hacker would type in the input fields like username textbox:

Select [UserName], [Password] From Users Where UserID = 1;
Drop Table Users;

Never use a direct query from your application to database.

Instead use web services or stored procedures and implement layers such as data access layer and business logic layer, this would protected you against SQL injection.


Share this post



Comments

  • Mohammed Shehata Reply

    ma shaa Allah, jazakum Allahu khayran :) loved the post, simple enough.

    Tuesday, November 04, 2008 at 11:59 AM
  • Unknown Unknown Reply

    Thanks Amr

    Tuesday, November 04, 2008 at 02:49 PM
  • Mina Saad Reply

    if I insist to use simple queries , is there a work around to not be injected ?

    Tuesday, November 04, 2008 at 02:57 PM
    • Amr Saafan Reply

      The only work around that I can think of is to remove all the special characters that you might have in your query. Still I don't recommend that.

      Wednesday, November 05, 2008 at 04:46 PM
  • Anonymous Anonymous Reply

    Nice post!

    Wednesday, November 05, 2008 at 07:09 AM
  • Unknown Unknown Reply

    There is a way to use direct SQL commands without using stored procedures, if you are using asp.net, wrap your query variable in SQL Parameter. If you are using PHP, wrap your query variable in function mysql_escape_string. This simply converts harmful chars to non harmful chars..

    Thursday, November 13, 2008 at 08:13 AM

Leave a comment


Previous Post

Next Post