Security Information and Review

Collection of security information and review

SQL Injection Attacks and SQL Server Security

Author : Admin

SQL Injection is a tehnique to manipulate of SQL Command that exploit SQL Server vulnerability of web application layer. This is the SQL Server security to be considered by many programmers and administrators. This vulnerability occurred if user insert text in form of web application. This form of SQL Injection occurs when user input is not filtered for escape characters and is then passed into an SQL Statement. Example, form login of web application as authentication to enter to system with user name and password is required. Field user name and password will make SQL Query to the database to check if a user name has valid name and password. Example SQL Injection in PHP in form login of the POST or GET methode, with a table user.

CREATE TABLE ‘tb_user’ (
	‘ucode’ varchar(20) NOT NULL,
	‘fullname’ varchar(50) NOT NULL
	‘username’ varchar(20) NOT NULL,
	‘password’ varchar(30) NOT NULL,
PRIMARY KEY(‘ucode’)

See PHP / HTML Code that usually use in form login :

<form class="login" action="login.php" accept-charset="utf-8" method="post">
		<label for="username">Username:</label>
<input id="username" name="username" type="text" />
		<label for="password">Password:</label>
<input id="password" name="password" type="password" />
<input id="submit" name="submit" type="submit" value="Login" />

The following line of code or SQL Command illustrate this vulnerability :

        $username = $_POST[‘username’];
	$password = $_POST[‘password’];
	$query = “select username, password from tb_user where username = “‘ . $username.’” and password = “‘.$password.’”’;

This SQL Code is designed to pull up the record of the specified username and password from table user. Well, we will thinks that only valid username and password can login to the system but that’s not true. Anybody can login to the system with a simple triks. For example, we will test vulnerability with username ‘test’ and password ‘test’ and injection code, so let’s see detail field username and password : test’ or ‘1’=’1’. Then final SQL Command will become like this :

	$query = “select username, password from tb_user where username = ‘test’ or ‘1=1’ and password = ‘test’ or ‘1=1’”;

We can see that final query is always true and return row from table user. As the result , the malicious guy could log in to the system.
Depending on the actual SQL query, we may have to try some of these possibilities:

OR 1=1--
      " or 1=1--
      or 1=1--
      ’ or ’a’=’a
      " OR "a"="a
      ’) or (’a’=’a

See how to preventing SQL Injection Attack with simple mechanisme in PHP at next article at this site.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Web Application Security
If you like this posts, please leave messages / comments.