.: How bad guys hack into websites using SQL Injection
Category:Home / Computers / Security / Web Site
SQL Injection is one of the most common security vulnerabilities on the web. Here I'll try to explain in detail this kind of vulnerabilities with examples of bugs in PHP and possible solutions.
If you are not so confident with programming languages and web technologies you may be wondering what SQL stay for. Well, it's an acronym for Structured Query Language (pronounced "sequel"). It's "de facto" the standard language to access and manipulate data in databases.
Nowadays most websites rely on a database (usually MySQL) to store and access data.
Our example will be a common login form. Internet surfers see those login forms every day, you put your username and password in and then the server checks the credentials you supplied. Ok, that's simple, but what happens exactly on the server when he checks your credentials?
The client (or user) sends to the server two strings, the username and the password.
Usually the server will have a database with a table where the user's data are stored. This table has at least two columns, one to store the username and one for the password. When the server receives the username and password strings he will query the database to see if the supplied credentials are valid. He will use an SQL statement for that that may look like this:
SELECT * FROM users WHERE username='SUPPLIED_USER' AND password='SUPPLIED_PASS'
For those of you who are not familiar with the SQL language, in SQL the ' character is used as a delimiter for string variables. Here we use it to delimit the username and password strings supplied by the user.
In this example we see that the username and password supplied are inserted into the query between the ' and the entire query is then executed by the database engine. If the query returns any rows, then the supplied credentials are valid (that user exists in the database and has the password that was supplied).
Now, what happens if a user types a ' character into the username or password field? Well, by putting only a ' into the username field and living the password field blank, the query would become:
SELECT * FROM users WHERE username=''' AND password=''
This would trigger an error, since the database engine would consider the end of the string at the second ' and then it would trigger a parsing error at the third ' character. Let's now what would happen if we would send this input data:
Username: ' OR 'a'='a
Password: ' OR 'a'='a
The query would become
SELECT * FROM users WHERE username='' OR 'a'='a' AND password='' OR 'a'='a'
Since a is always equal to a, this query will return all the rows from the table users and the server will "think" we supplied him with valid credentials and let as in - the SQL injection was successful :).
Now we are going to see some more advanced techniques.. My example will be based on a PHP and MySQL platform. In my MySQL database I created the following table:
CREATE TABLE users (
username VARCHAR(128),
password VARCHAR(128),
email VARCHAR(128))
There's a single row in that table with data:
username: testuser
password: testing
email: testuser@testing.com
To check the credentials I made the following query in the PHP code:
$query="select username, password from users where username='".$user."' and password='".$pass."'";
The server is also configured to print out errors triggered by MySQL (this is useful for debugging, but should be avoided on a production server).
So, last time I showed you how SQL injection basically works. Now I'll show you how can we make more complex queries and how to use the MySQL error messages to get more information about the database structure.
Lets get started! So, if we put just an ' character in the username field we get an error message like
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' and password=''' at line 1
That's because the query became
select username, password from users where username=''' and password=''
What happens now if we try to put into the username field a string like ' or user='abc ?
The query becomes
select username, password from users where username='' or user='abc ' and password=''
And this give us the error message
Unknown column 'user' in 'where clause'
That's fine! Using these error messages we can guess the columns in the table. We can try to put in the username field ' or email=' and since we get no error message, we know that the email column exists in that table. If we know the email address of a user, we can now just try with ' or email='testuser@testing.com in both the username and password fields and our query becomes
select username, password from users where username='' or email='testuser@testing.com' and password='' or email='testuser@testing.com'
which is a valid query and if that email address exists in the table we will successfully login!
You can also use the error messages to guess the table name. Since in SQL you can use the table.column notation, you can try to put in the username field ' or user.test=' and you will see an error message like
Unknown table 'user' in where clause
Fine! Let's try with ' or users.test=' and we have
Unknown column 'users.test' in 'where clause'
so logically there's a table named users :).
Basically, if the server is configured to give out the error messages, you can use them to enumerate the database structure and then you may be able to use these informations in an attack.
Article keywords: sql injection, sql, security
Article Source: http://www.articles32.com
Matija Vidmar is an experienced programmer. He's also interested in computer security, networking and system administration and internet marketing. He owns a tech blog at calibro.candyham.com
.: New Web Site Articles
1). How To Use Spyware Elimination Software
Spyware elimination software is designed to detect and
eliminate spyware. A large number of spyware elimination software products are available. Some of them are available as freeware and some as shareware. Shareware can be used for a specified period, usually 30 days.
2). Spyware and Adware: New Threats to Your Computer
So you think you have a anti virus an anti spyware, on your computer and you computer and business is safe this is the misconception most people have because there are some really deadly spyware and adware waiting to seriously affect your
3). How Spyware Blaster Can Protect Your Computer From Harm
By browsing a web page, you could infect your computer with spy ware, ad ware, dialers and hijackers.
4). Adware Removal Thats Free, Avoid The Pitfalls
Removal programs can sometimes seem hard to find. You click on a link that promise really free adware removal programs, but end up on a site with programs that eventually turn out to have a lot of strings attached. You might only be able to try out the really free adware removal program for a very short time, such as a few days, before you must purchase an expensive version of the program.
5). Spyware - Is Your Computer Safe?
Spyware is the virtual plague of the new Millenium. You no longer have to receive emails with viruses in them or even click on dangerous links on websites.
6). Stalker Case Study 4: Suicide Can Be Profitable
This is a real life case study that shows how dangerous is really is out there. What are you doing to get yourself and your family safe online?
7). Safely Surfing the Internet and staying free from Spyware.
In addition to installing anti-spyware software, be careful of the websites that are surfed on your computer.
.: Top Web Site Articles
1). Signs That Your Home Computer Is Infected by Spyware or Adware
There are a number of indicators you can watch for which will suggest that your computer has been infected by spyware or adware. Please note that some of the symptoms listed below are not unique to just a spyware or an adware infection.
1) PC Performance – Both Spyware and adware consume your PC’s resource like computer memory. A bad spyware infection could dramatically slow your computer’s performance including causing your system’s to become increasingly unstable.
2). Ten Steps to Reduce Your Risk of Identity Theft
You've probably heard about identity theft on television or read about it in the newspaper, and you may already be aware of the damage these crimes can cause victims and their families. What you may not know is how to protect yourself from these attacks. Below you'll find ten steps that can help you minimize your chances of becoming another identity theft statistic.
3). 9 Warning Signs You Might Be Infected With Spyware And/Or Adware
It was recently reported that there are over 350,000 websites worldwide that help proliferate spyware and adware. Here are 9 signs that you might have become a victim.
4). Protect Yourself with Spy Bug Detectors
If you are involved in surveillance on other people, chances are that there are other people involved in surveillance on you. In order to detect when others may be listening in on you, it is a good idea to keep one or two different types of spy bug detectors. Because there are plenty of different bugs out there, and because they make use of a variety of different technologies, it is important to have at least two different types of spy bug detectors in order to sweep for multiple types of listening devices.
5). A Basic Guide To Internet Security
The internet is a wonderful place; many of us use it on a regular basis for a multitude of functions. Email helps us to keep in touch with family, and friends all over the world and most people have at least one email account. The growing use of digital cameras and camera phones means that we can send pictures at the click of a mouse. MP3 players have become increasingly popular, and we can download songs to play on them with extreme ease.
6). Security Management - Software and hardware to keep your investment secure.
Security management is essential to any company. There are many different aspects of security management including Computer Network security, Entry Identification and Logging system and Fire Detection and Prevention.
Companies are increasingly using programmed magnetic or chipped Identity Cards for employees that allow access only to specific parts of the site.
7). Businesses Face Spyware Threats on a Day to Day basis.
Businesses are banning accress to certain websites in order to gain some control over spyware from downloading on their network.