SQL injection is an attack that can lead to compromising sensitive data and even complete system takeover.
It’s important for developers and system administrators to be aware of this threat and take preventive measures. Using prepared statements with parameterized queries, validating and sanitizing input data, as well as conducting regular security audits, can significantly reduce the risk of a successful attack.
Here’s an example of code vulnerable to SQL injection:
<?php
$username = $_POST[“username”];
$password = $_POST[“password”];
$query = “SELECT * FROM users WHERE username = ‘$username’ AND password = ‘$password'”;
$result = mysqli_query($connection, $query);
if (mysqli_num_rows($result) > 0) {
// login successful
} else {
// login failed
}
?>
In this example, the PHP script attempts to authenticate a user by matching the username and password with records in the ‘users’ table.
- The issue with this code is that it directly incorporates user input ($username and $password) into an SQL query without proper validation or sanitization. This means that in the event of injection into the username and password fields, it could lead to unintended command execution.
For instance, entering into the username field: admin’ — would modify the query to:
SELECT * FROM users WHERE username = ‘admin’ –‘ AND password = ‘whatever_password_entered’
This injection would comment out the rest of the query, bypassing the password check, consequently allowing the attack to succeed.
— To mitigate this vulnerability, user inputs should be validated and sanitized. To construct SQL queries, it’s essential to use prepared statements with parameterized queries. It would look something like this:
$stmt = $connection->prepare(“SELECT * FROM users WHERE username = ? AND password = ?”);
$stmt->bind_param(“ss”, $username, $password);
$stmt->execute();b
Hence, it won’t be executed as a query and will be treated as a string, preventing attacks using SQL injections.
Main CVEs associated with this vulnerability:
Tools for automated detection and exploitation:
- sqlmap: Automates the process of discovering and exploiting SQL injection vulnerabilities and seizing control of database servers.
- SQLNinja: Specializes in finding SQL injection vulnerabilities in web applications using Microsoft SQL Server.
- Havij: Identifies and exploits SQL injection vulnerabilities in a target application, capable of executing various types of attacks including Blind SQL injection and time-based SQL injection.
- sqldump: Allows for obtaining a database dump or a set of databases for backup creation or data transfer to another SQL server.
Conclusion
Utilize prepared statements with parameterized queries instead of concatenating strings to build SQL queries. Validate user-input data and sanitize it if necessary. Limit access rights to the minimum required for proper application functioning. Regularly audit your database and application logs for unusual activities. Don’t forget to update your software and system regularly and employ a firewall to block known attacks.