What is SQL injection, how dangerous and how to prevent it

Tram Ho

Article Source: https://tienminhvy.com/kinh-nghiem/sql-injection-la-gi-va-cach-phong-tranh

SQL injection is a fairly basic but extremely dangerous error when programming a web application, however, there are many large websites on the Internet that have encountered this serious security error and consequently data leaks. data of millions of users around the world.

It’s inherently difficult to program a website, and to protect it from hackers stalking your website it’s even more difficult, as in the previous post I mentioned data leaks at Flaticon and Freepik and the reasons. of this problem is the SQL injection error.

Why this error is quite basic, but many programmers often make mistakes when programming applications, let’s find out.

What is SQL injection?

SQL injection is a technical error that the programmer accidentally (or may intentionally) create when programming a web application, this is the vulnerability of checking for user input containing signatures. Special order affects the database system.

This allows hackers to pass the data check with just a few special characters. And the result as you know it is causing security issues that lead to unwanted user data leakage. Usually, SQL injection error occurs in: Login / registration form, search form, data lookup form, …

How dangerous is SQL injection?

SQL injection is extremely dangerous, with SQL injection security errors, hackers can take advantage of to steal data in the database of a website. With this error, the hacker can insert data, export the data to the screen and steal it easily, …

SQL injection

In addition, if a hacker is your website’s adversary, that person can execute a command used to delete a lot of important data from the database or delete the entire database of a website, but against a Database is the most important thing when it comes to dynamic website.

An example of a SQL injection error

Example # 1

So you can imagine how the SQL injection error is and how dangerous I have written a small login form for testing as follows (note this form is only for testing purposes):

alt text


Start testing

For example, this is the login page of XYZ bank, I know the username of a person named tmv, but he did not give me the password. So when I enter any password, the web server returns as shown below.

SQL injection ex_1

And I’m always naughty, so I added the character (‘) to the password box and got the following result:

SQL injection ex_1

When the server returns an error in the form of Warning: … then surely this website has SQL Injection vulnerability. Therefore, if I want to log in, I will enter the username and the following command in the password box and click login:

And the website will return the following page:

SQL injection ex_1

Why is that?

Here, I guess the principle of the SQL statement of this website is as follows:

And when I enter the character (‘) after any password in the password box, I will get the following command:

When executing the above command, the system will issue a Warning: … error as shown above, so I modified the above statement and the received command is:

Here, when the system checks this statement, there are 3 conditions, username = string, password = string and 1 = 1. By default, when conditional number 1 is true but conditional sentence 2 is incorrect, the system will immediately exit. After the above conversion, it will return TRUE for all cases because TRUE AND FALSE OR TRUE the final result will be TRUE.

Therefore, the system will find the user and obviously will bybass (pass) the password check, so the system returns the user with the same information as shown above without having to go through any checks. both.

Example # 2

With this example, I will get information of all users in the database of the XYZ Bank website. The source code of this page is as follows (for testing purposes only):

SQL injection ex_2

For example, bank XYZ has a page to find bank messages, and if I want to check the bank’s messages, I go to the page above. And I also do the same action as above, enter the character (‘) in the title box to find and click Check.

And the website shows the message below, the website has got SQL injection security error. But this time more specifically, if you enter the correct title, the website will display a list of title and content of the notice. So I guess here the system calls the SQL statement to get the value of two columns as follows.

SQL injection ex_2

Therefore, I will enter the following statement in the box:

After entering, I press test to execute the command.

SQL injection ex_2

And we have received the following list, with the above statement, we already know how many tables are in a database on that SQL database system. To check the database that the website is currently connected to, scroll down to the bottom of the list.

SQL injection ex_2

And below, right where the last keyword phpmyadmin and the beginning of a new line with 2 lines, those 2 rows are the current 2 tables in the database named sql_inj

SQL injection ex_2

In the user table there will be login information for all users on this website. But one thing is that I still do not know how many columns in the user table can be obtained because if all are taken with an asterisk (*), the system will error.

So, I’ll type the following in the box and press Enter:

In the above statement, I chose 2 columns, column_name and 1 because by default, the system chose 2 columns to process the request, so if you choose more or less, the system will report an error.

After executing the above command, I get the list as shown below. As you can see, there are countless columns in the user table of the whole database system, here I predict that the two bolded lines are the columns of the user table in the sql_inj database.

SQL injection ex_2

And to get a list of information in this user table, I enter the following command in the box and press Enter:

And we have successfully retrieved the list of users in the user table already.

SQL injection ex_2

How to prevent SQL injection vulnerability

As you can see above, the SQL injection vulnerability is extremely dangerous because it makes it possible for hackers to manipulate the database directly without having to verify any steps.

Fortunately, the majority of current programming languages ​​already support functions to be able to escape the statement (adding asterisk () before special characters) before executing it on the database, thus will be limited and probably will safely block SQL injection vulnerabilities.

And the current PHP programming language supports many functions for this, most notably mysqli_real_escape_string (), with this function, the system will use the syntax of the database system to escape command strings into standard SQL statements. .

To be able to use this command, refer to the code below:

As you can see, the command has been escaped and is safe to execute.


SQL injection

In summary, through this article, you have understood what SQL injection is, how dangerous it is and how to prevent it. Note that please apply the above mentioned solution to all forms when you program your website, and remember the unwritten rule that “Never trust user input!”.

Good luck.

Share the news now

Source : Viblo