SQL Inject, And How to Protect

Structured Query Language (SQL) is a language that allows users and web applications to interact with a database. Any time a user enters input, such as a name or password, a SQL command is enacted which enters the input into a database or matches the input to stored data. A technique called SQL injection makes it frighteningly easy for hackers to exploit SQL commands so that they can infiltrate databases.

Before addressing how SQL injection occurs, it is important to explain the role of SQL in properly functioning web applications. Certain SQL queries are executed whenever a legitimate function is triggered. For example, let’s say that a returning user named John Smith enters his username and password. The web page would send the following SQL command to the database when John hits send. The SQL command would then match the username and password against the stored combination:

SELECT id
FROM logins
WHERE username=’JohnSmith’
AND password=’1234”;

But what if the web page isn’t properly coded to protect against SQL attacks? A hacker may inject additional SQL commands to retrieve stored values. This is made possible because the fields available for user input permit SQL commands to pass through and query the database directly.

For example, if a SQL injecter typed the following on an improperly coded webpage, they would be logged into the account because the OR clause is true:

SELECT id
FROM logins
WHERE username='’JohnSmith’'
AND password='password' OR 'x'='x';

One of the most common ways that hackers discover vulnerable web pages is through Google dorks, which are search queries that finds websites meeting the parameters of the advanced query you input. Examples of dorks you can use to find vulnerable sites include inurl:pageid=, inurl:staff_id=, etc. After going to one of the sites that appear in the search, a hacker would then enter an apostrophe at the end of the URL. If the page returs a SQL error, it is vulnerable. A hacker would determine the amount of columns and rows by entering a URL along the lines of: website/index.php?catid=1 order by 1. They would then increase the numbers one by one until they arrive at an error.

SQL injection attacks like this have become popular since all an attacker needs is a web browser, an understanding of SQL, and the ability to guess the name of fields. Apps like Havij have even been developed to facilitate SQL injection attacks. Because of the ease with which SQL injections occur, the Web Application Security Consortium reported that 9% of total hacking incidents in 2006 were due to this technique. This is terrifying. Credit card information, passwords to personal accounts, and other important data are readily available to SQL injecters on web pages that are not properly coded. Security firm Acunetix estimates that 50% of the web pages it tested faced such a risk. In fact, Yahoo, LinkedIn, PBS, the CIA, and Sony Pictures have all been victims of SQL injection.

Now that we have addressed how SQL injection works, let’s consider how an organization can protect against SQL injection. Firewalls and similar mechanisms alone aren’t sufficient. Automated web vulnerability scanners crawl a website and check for SQL injection vulnerabilities. They will specify which scripts are vulnerable so you can fix the code. Dynamic scripting languages like ASP, .NET, PHP and CGI are especially at risk. A database could also be set to restrict to certain commands only. User input must be filtered as well. For example, only email addresses that include @ should pass. These precautionary measures are essential. Otherwise, your credit card number could be in someone else’s hands.