SQL Injection

Posted on October 21, 2012. Filed under: SANS Dev 541 |


SQL injection is a technique hacker used to attack the website. The idea behind SQL injection is vulnerable web application rely on users’ input to build a SQL query. For example,

The following two java code snippets take a user input and build a sql query:

snippets 1:

================================

Statement stmt = conn.createStatement();

ResultSet rs;

String name = request.getParameter("Name");

rs = stmt.executeQuery("select * from users where name = '"+name+"'");

========================

snippets 2:

PreparedStatement pstmt = conn.prepareStatement("select * from users where name = ?");

ResultSet rs;

String name = request.getParameter("Name");

pstmt.setString(1,name);

rs = pstmt.executeQuery();

================================

A normal user will put a valid string such as “Tom Hanks” as Name field.

In code snippets one and code snippets two, the built sql will be:

select * from users where name = ‘Tom Hanks’

An attacker realized that there is a SQL injection vulnerability in code snippets one and want to expire, he will put something like the following in Name field:

fake name’ or ‘1’=’1

In code snippets one:

the built sql will returns all the user information in users table, which is not the code snippets intended to do.

select * from users where name = 'fake name' or '1'='1'

Luckily code snippets two is un-exploitable for sql injection — the built sql will be:

select * from users where name = 'fake name \' or \'1\'=\'1'

with the escaping of single quote, the attackers’ evil intention is defeated.

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: