Hello
Everyone,
Today I
am going explain SQL Injection…
( I am
sorry because it is totally theoretical… But it is necessary to start
from A,B,C,D… )
SQL
Injection
SQL Injection is one of the many web attack mechanisms used
by hackers to steal data from organizations. It is perhaps one of the most
common application layer attack techniques used today. It is the type of attack
that takes advantage of improper coding of your web applications that allows
hacker to inject SQL commands into say a login form to allow them to gain
access to the data held within your database.
SQL Injection is the hacking technique which attempts to pass SQL commands
(statements) through a web application for execution by the backend database.
If not sanitized properly, web applications may result in SQL Injection attacks
that allow hackers to view information from the database and/or even wipe it
out.Such features as login pages, support and product request forms, feedback forms, search pages, shopping carts and the general delivery of dynamic content, shape modern websites and provide businesses with the means necessary to communicate with prospects and customers. These website features are all examples of web applications which may be either purchased off-the-shelf or developed as bespoke programs.
These website features are all susceptible to SQL Injection attacks which arise because the fields available for user input allow SQL statements to pass through and query the database directly.
SQL Injection: A Simple Example
Take a simple login page where a legitimate user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum.
When the legitimate user submits his details, an SQL query is generated from these details and submitted to the database for verification. If valid, the user is allowed access. In other words, the web application that controls the login page will communicate with the database through a series of planned commands so as to verify the username and password combination. On verification, the legitimate user is granted appropriate access.
Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitised (i.e., made invulnerable) and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to the database.
The technologies vulnerable to this attack are dynamic script languages including ASP, ASP.NET, PHP, JSP, and CGI. All an attacker needs to perform an SQL Injection hacking attack is a web browser, knowledge of SQL queries and creative guess work to important table and field names. The sheer simplicity of SQL Injection has fuelled its popularity.
Why is it possible to pass SQL
queries directly to a database that is hidden behind a firewall and any other
security mechanism?
In SQL Injection, the hacker uses
SQL queries and creativity to get to the database of sensitive corporate data
through the web application.
SQL or Structured Query Language is the computer language that allows you to store, manipulate, and retrieve data stored in a relational database (or a collection of tables which organise and structure data). SQL is, in fact, the only way that a web application (and users) can interact with the database. Examples of relational databases include Oracle, Microsoft Access, MS SQL Server, MySQL, and Filemaker Pro, all of which use SQL as their basic building blocks.
SQL commands include SELECT, INSERT, DELETE and DROP TABLE. DROP TABLE is as ominous as it sounds and in fact will eliminate the table with a particular name.
In my next post I will explain real example of SQL injection. I want to explain that in my this post but then I realize that some basic knowledge of SQL injection is required first.
Don’t worry if you are a web developer I will also explain how to develop website which cannot be hacked using SQL injection.
By,
Shweta Jogi
Enjoy Every Moment of Your Life...
No comments:
Post a Comment