Riskemy
sql injection examples

5 SQL Injection Attack Examples for Prevention

SQL Injection was discovered some two decades ago.

It allows hackers to execute malicious statements on online properties where input validation is a little average. According to a report from Positive Technology, SQL Injection is still one of the major loopholes globally.

sqli attacks

The stat doesn’t really come as a surprise given that websites need powerful input validation. To build that, we have come up with this guide to help you understand SQL injection with examples.

What is SQL Injection?

Simply put, SQL Injection is a technique to exploit user data through web pages’ input field. The malicious inputs, when accepted by the server or app, can be used to manipulate user and company data.

what is SQL inection

SQL Injection one of the simplest and yet most destructive of attacking ideas. Thousands of web servers suffer every day causing millions of dollars in losses.

what is SQLi
  • Attackers can use this vulnerability to extract credentials of users from the database. After which, they can pose as real users and steal their money or data.
  • Attackers can gain administrator privileges in the database to erase, copy, or corrupt all business data in the server.
  • In some case, SQL Injection also allows attackers to access operating system. This leads to an attack on the internal network of your business.

SQL Injection Attack Example 1

Think that you are an attacker. You goal is simple here.

SQLi form

You do not know what kind of input validation this website form uses. You have to try some popular SQLi statements to find out if you can crack the form.

<form
action="/login.php" method="POST">
<p>Username: <input type="text" name="username" /></p>
<p>Password: <input type="text" name="password" /></p>
<p><input type="submit" value="Log
In" /></p>
</form>

You do not need to be a seasoned hacker to understand what this form does. Even if you do not have an automated tool to brute force the code, an educated guess can cause a lot of damage.

$_POST['username'] and $_POST['password'].
<?php $sql = "SELECT count(*) FROM users
WHERE  
              username
= '{$_POST['username']}'AND  
              password
= '...'"; ?> 

As long as you can get the common usernames like ‘david’ or ‘anna’ processed, you can have access to their user accounts.

Search-based SQLi Attack

Now let’s consider an attack that exploits the search field on any website.

sql injection search parameter
select * from notes nt where nt.subject = ‘search_word‘;

However, instead of this we will have to use a little manipulation to ensure that the query will always be true.

select * from notes nt where nt.subject = ‘ ‘ or 1=1;–

This is one of the easiest ways to hack a site. There are numerous tools in the market that can attack thousands of websites with a single click using this query. You can also use some of the query variations to ensure that it’s always true.

  • ‘ or ‘abc‘=‘abc‘;–
  • ‘ or ‘ ‘=‘ ‘;–

Information Leak Attack

Think about how a developer will show bank account details. Earlier in the banking industry, the easiest way to do it was to extract the data from URLs.

tring accountBalanceQuery = 
  "SELECT accountNumber, balance FROM accounts WHERE account_owner_id = " 
  + request.getParameter("user_id");
try {
    Statement statement = connection.createStatement();
    ResultSet rs = statement.executeQuery(accountBalanceQuery);
    while (rs.next()) {
        page.addTableRow(rs.getInt("accountNumber"), rs.getFloat("balance"));
    }
} catch (SQLException e) { ... }

What’s better than this? If a user ‘7383’ is logged in, the URL will most likely look like.

https://mybank/show_mybalances?user_id=7383

The account query will look something like:

SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 984

Banks learned it the hard way when attackers started changing the query parameters at will. There are thousands of disclosed and undisclosed cases where extracted data on all bank accounts.

SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 0 OR 1=1

Other Examples of SQL Injection

Delete record from the database

Bring the application down

How to Stop SQL Injection Attack?

While there are a dozen different ways to exploit SQL Injection vulnerabilities, there is just one way to ensure security. Developers or security experts have to validate and parametrize input queries including prepared statements.

It does not matter what the function of your application is. It cannot use the inputs from the user directly. It exposes the backend to the hackers. The developer must sanitize everything that comes through the application.

However, finding this vulnerability is another task. You team cannot just go through every piece of input code written in the past years. When hackers use automation, you should too.

There are dozens of security scanning tools that can offer detailed reports on SQLi vulnerabilities on your site.

Comments

Ishan Mathur

From stopping hackers to getting the fastest CDN, I'm helping big and small companies choose what's best for them by building a community here.

No, no, no. You’re not supposed to look here man!