What is the use of SQL Injection?

  • Hi,

    What is the use of SQL Injection?

    Is it meant by attacking the database to misbehave?

    Can any one tell me where it is used?

  • SQL Injection is used by hackers in an attempt to steal or damage a company's data. It is usually a result of poor programming using dynamic sql constructs. Not that dynamic sql itself is bad, just that many developers don't properly protect the code they write from SQL Injection.

  • Can you give me any example how to do it in real?

  • to add to Lynn's reply, it's not just bad coding. More often it's a blatant misuse of priveleges. I have seen many cases of elevated privileges. Even one website which connected as SA to the database server, with the username and password in clear text in the web.config file!!! :w00t:

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" πŸ˜‰

  • chandrasekaran.ganapathy (9/5/2010)


    Can you give me any example how to do it in real?

    Here’s a very simplistic case:

    You have a field to enter a user name and password.

    The underlying web screen code concatenates this into a sql command to send to the database to see if you have access.

    The sql command is supposed to look like:

    Select * from users where name = 'myname' and password = 'mypassword'

    Well, if the user enters into the name field the following line:

    Myname' or 1=1--

    This becomes:

    Select * from users where name = 'myname' or 1=1 --' and password = 'mypassword'

    This ends up returning all fields from the users table, because regardless of whether the name matches a name is the table, the 1=1 condition will always be true. And, the double dashes remarks out the rest of the line, so a password check is never performed.

    Once they know they have access, they can then enter for a user name:

    Myname' or 1=1;select * from sys.tables;--

    The semi-colons separate different commands. So, the select * from sys.tables will be run, and will generate a list of all of the tables in the database.

    So the hacker sees one called CustomerInfo. Guess what (s)he does?

    Myname' or 1=1;select * from CustomerInfo;--

    Now, all of the customer information can be displayed for the hacker. And all your customers will soon be victims of identity theft attempts.

    Will you ever know this happened? Not likely.

    How do you defend against it? Besides having the input data validated, you don’t build and run sql commands at the client level; instead you use stored procedures and pass parameters to it.

    The stored procedure will look like:

    CREATE PROCEDURE dbo.IsValidLogin (@username varchar(20), @password @varchar(20), @Return bit OUTPUT)

    AS

    SET @Return = 0;

    IF EXISTS (Select * from users where name = @username and password = @password) set @Return = 1;

    GO

    If they put in anything, it will be encapsulated into the PARAMETER, and there won’t be a username that matches β€œMyname' or 1=1--β€œ. They won’t see anything.

    Wayne
    Microsoft Certified Master: SQL Server 2008
    Author - SQL Server T-SQL Recipes


    If you can't explain to another person how the code that you're copying from the internet works, then DON'T USE IT on a production system! After all, you will be the one supporting it!
    Links:
    For better assistance in answering your questions
    Performance Problems
    Common date/time routines
    Understanding and Using APPLY Part 1 & Part 2

  • Sooooo... now that we've taught someone how to accomplish SQL Injection, I have to ask... will he use it to avoid injection or carry out revenge on some unsuspecting company? πŸ˜‰

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Jeff Moden (9/5/2010)


    Sooooo... now that we've taught someone how to accomplish SQL Injection, I have to ask... will he use it to avoid injection or carry out revenge on some unsuspecting company? πŸ˜‰

    Sort of why I stayed away from actually showing him how SQL Injection works. There are blogs and articles that do hat if you look for them.

  • Lynn Pettis (9/5/2010)


    Jeff Moden (9/5/2010)


    Sooooo... now that we've taught someone how to accomplish SQL Injection, I have to ask... will he use it to avoid injection or carry out revenge on some unsuspecting company? πŸ˜‰

    Sort of why I stayed away from actually showing him how SQL Injection works. There are blogs and articles that do hat if you look for them.

    I really did think twice about this... but if you look at the examples, they also depend on the web site displaying the information. While certainly possible, it is probably looking for a success/fail, and not displaying all the information that is being streamed back. I really wanted to get to a point where I could show how to prevent it, like the last code sample does.

    Wayne
    Microsoft Certified Master: SQL Server 2008
    Author - SQL Server T-SQL Recipes


    If you can't explain to another person how the code that you're copying from the internet works, then DON'T USE IT on a production system! After all, you will be the one supporting it!
    Links:
    For better assistance in answering your questions
    Performance Problems
    Common date/time routines
    Understanding and Using APPLY Part 1 & Part 2

  • WayneS (9/5/2010)


    Lynn Pettis (9/5/2010)


    Jeff Moden (9/5/2010)


    Sooooo... now that we've taught someone how to accomplish SQL Injection, I have to ask... will he use it to avoid injection or carry out revenge on some unsuspecting company? πŸ˜‰

    Sort of why I stayed away from actually showing him how SQL Injection works. There are blogs and articles that do hat if you look for them.

    I really did think twice about this... but if you look at the examples, they also depend on the web site displaying the information. While certainly possible, it is probably looking for a success/fail, and not displaying all the information that is being streamed back. I really wanted to get to a point where I could show how to prevent it, like the last code sample does.

    My problem with the question is that OP seems to think that it is a valid programming technique, not something to be defended against. If the conversation turned more that direction, then I would have been more open to showing more.

  • Guys,

    the remaining point is permissions. SQL injection is possible because of main 2 issues.

    Bad code

    misuse of permissions

    The following

    Myname' or 1=1;drop table dbo.customers;--

    would not work if the account connecting to the database had only read access to the tables. OK, the website is allowing this back door in the first place but if permissions were properly granted the drop would fail. So many times i see systems where developers have 'ticked' every single box on the permissions list to get something working!!!!

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" πŸ˜‰

  • Good point Perry.

    Wayne
    Microsoft Certified Master: SQL Server 2008
    Author - SQL Server T-SQL Recipes


    If you can't explain to another person how the code that you're copying from the internet works, then DON'T USE IT on a production system! After all, you will be the one supporting it!
    Links:
    For better assistance in answering your questions
    Performance Problems
    Common date/time routines
    Understanding and Using APPLY Part 1 & Part 2

  • incidentally Wayne, although i do sort of agree with Jeff and Lynn,

    "all pirates should find their own treasure"

    i do think that you presented well to the OP.

    (i hope i dont get the pork chop treatment here, sorry Jeff πŸ˜‰ )

    At the end of the day he could find that info anywhere without too much trouble. I would have preferred you too touch on permissions a little more though as i think these are the root of all evil!

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" πŸ˜‰

  • How would a hacker get to see a web.config file?

    How can you not show passwords in a web.config file for the account which is accessing a database?

  • sku370870 (9/6/2010)


    How would a hacker get to see a web.config file?

    possibly many avenues to achieve this on an unsecured server

    sku370870 (9/6/2010)


    How can you not show passwords in a web.config file for the account which is accessing a database?

    by encrypting your connection strings in the web.config file!

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" πŸ˜‰

  • Perry Whittle (9/6/2010)


    incidentally Wayne, although i do sort of agree with Jeff and Lynn,

    "all pirates should find their own treasure"

    i do think that you presented well to the OP.

    (i hope i dont get the pork chop treatment here, sorry Jeff πŸ˜‰ )

    At the end of the day he could find that info anywhere without too much trouble. I would have preferred you too touch on permissions a little more though as i think these are the root of all evil!

    Heh... not to worry, gents. I was just making an observation. No pork chops here for anyone especially since all the info is so readily available in other places. I just think it's funny that someone would ask what the "use" of SQL Injection was instead of asking how to prevent it. Probably just a language barrier thing... I hope...

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

Viewing 15 posts - 1 through 15 (of 22 total)

You must be logged in to reply to this topic. Login to reply