Summary -

In this topic, we described about the below sections -

SQL Injection is a type of code injecting web hacking technique. By using SQL Injection attacker may know the sensitive data that is unable to read like customer private details, passwords, credit card bills etc.. by inserting code from web page input. Attacker may hack the web application by using SQL Injection, which is used SQL database like MySQL, ORACLE, POSTGREL. In some cases attacker may destroy the database also. Attacker may process or manipulate data like UPDATE, INSERT, DELETE data in the database.

SQL Injection Examples

The various ways of SQL Injection attacks and techniques are explained as follows –

Let us consider below table(s) as an example table(s) to frame the SQL query for getting the desired results.

employee_details -

emp_id emp_name designation manager_id date_of_hire salary dept_id
001 Employee1 Director 2019-07-11 45000.00 1000
002 Employee2 Director 2019-07-11 40000.00 2000
003 Employee3 Manager Employee1 2019-07-11 27000.00 1000
004 Employee4 Manager Employee2 2019-10-08 25000.00 2000
005 Employee5 Analyst Employee3 2019-07-11 20000.00 1000
006 Employee6 Analyst Employee3 2019-10-08 18000.00 1000
007 Employee7 Clerk Employee3 2019-07-11 15000.00 1000
008 Employee8 Salesman Employee4 2019-09-09 14000.00 2000
009 Employee9 Salesman Employee4 2019-10-08 13000.00 2000

Retrieving hidden data – In this attacker modify the SQL query to get additional data from database.

If we want to show the emp_id is 002 details only by keeping all rows in privacy, attacker can use following query to get all employees information. The query was as follows –

 SELECT * FROM employee_details WHERE emp_id = 2 OR 1 = 1; 

Attacker can also use the following query also

SELECT * FROM employee_details WHERE emp_id = emp_id; 

By executing above query we can know the all details of all employees because 1=1 is always TRUE and then it returns all details from table.

Subverting application logic – In this attacker can modify the query, to change the logic of the application.

Let us consider when we need to specify a particular employee detail in query that employee details will returned in result set, But attacker can use the following query to get the all employees details without mentioning any one correct field details. The query was as follows -

SELECT * FROM employee_details WHERE emp_id = '' or '' = ''; 

By executing above query, attacker get all details of employees because '' = '' is always true.

UNION attacks – In this attacker can get details from another table also which is in the same database.

SELECT emp_name,designation,dept_id  FROM employee_details
 UNION all  
SELECT dept_name,dept_location,dept_id FROM department_details;   

By executing above query, attacker get details from department_details table also ike as shown in below –

emp_name designation dept_id
Employee1 Director 1000
Employee2 Director 2000
Employee3 Manager 1000
Employee4 Manager 2000
Employee5 Analyst 1000
Employee6 Analyst 1000
Employee7 Clerk 1000
Employee8 Salesman 2000
Employee9 Salesman 2000
Office Location1 1000
Sales Location2 2000

Blind SQLi attack – This extremely dangerous attack. By using this attacker can ask TRUE or FALSE questions. In this attacker cannot see the information of web application, But attacker can modify the structure of the database by knowing the nature of database. In Blind SQLi information cannot transferred through the attacker from web application.

Prevention of SQL Injection

We can prevent SQL Injection on web application by using parameterized queries. Parameterized queries are used, when uncertain input's are appeared in SQL query of WHERE clause and INSERT and UPDATE statements of values. Parameterized queries cannot handle untrusted input's in the names of columns and tables or in the ORDER BY clause also. The parameters represents the values, that are used in the execution of the query. The parameters are nothing but placeholders which are holding values. @ is used to represent the parameter in the SQL statement. SQL engine search for each parameter to ensure that it is correct or not for that column.