SQL injection attacks, in which malicious SQL statements are inserted into an entry field (entered by users in an applications) for execution, are one of the most common attacks across the world.
A successful SQL injection exploit can read sensitive data from the database and can modify database data. Most of the applications are interacting with database using structured query language to the databases. SQL injection attack can delete or modify customers’ data in the database.
Consider that there is an application that is used to search about the products in the company. The user has to enter the product name in the input field of an application.They are maintaining the product related data in “Table_Product”.
Consider that one user entering the “Toys” in the input field. Then the search application will list the data related to toys.For this search the SQL query will be “select * from Table_Product where Name=’toys’; ”.
In our programming Code we are just concatenate the string to query which is entered by the user in the input field of application.
Select * from Table_Products where Name = ‘“+TextBox.Text+”’ ;
When user enters like toys then the query will become
Select * from Table_Products where Name = ‘toys’ ; That is good for all.
Just imagine that user enter “ Books’ ; Drop table Table_Product — “ this is the string entered by the user in the input field.
When we are concatenating the entered string the query will become
Select * from Table_Product where Name = ‘Books ‘;Drop Table Table_Product — ‘;
After — everything is consider as commanded text in SQL. So the above query will drop the table .
Example 2 :
Imagine that the Table called Login .It has username , password and ID column.
When the user enters Id it will show username and password. In the ID field if customer enters
12345
Then if the id exist in that table it will show the username and password for that corresponding id .
Select username,password from Login where ID= 12345 ;
If the Hacker enters “12345 OR 1=1”in the Id field then query will become like below
Select username,password from Login where ID=12345 OR 7=7 ;
It will Return every user’s username and password because 7=7 condition is true.
Select username,password from Login where ID=12345 OR NULL is NULL ; this is also will return all data in that login table .
This is called SQL injection.
Solution To Avoid SQL Injection
While doing Programming we should not construct the Dynamic queries by concatenating user’s input .
1. Parameterized Queries(Binding Parameters) to queries.
2. Using Stored Procedures.
When we use parameterized queries whatever the user enter in the input field the whole content is consider as an value for that input.
Using Stored Procedure
Create proc Sp_Product
@Name Varchar(50)
As
Begin
Select * from Table_Prodcut where Name = @Name ;
End
In the above proc we need to pass one parameter to stored procedure that is name of the product. Whatever the user types that is considered as an input for Name parameter.
We need execute the stored procedure using programming and have to give the input for parameter in the stored procedure which is entered by the user in the input field.
So to avoid SQL Injection we should not construct queries(Dynamically) by concatenating users inputs.
Got questions? Email us at: vembu-support@vembu.com for answers.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
