Hello everyone,
I am back with SQL Inection, sorry for late...
Example
of a SQLInjection Attack
Here is a sample basic HTML form with two inputs, login and password.
<form
method="post"
action="http://testasp.vulnweb.com/login.asp">
<input name="tfUName" type="text" id="tfUName">
<input name="tfUPass" type="password" id="tfUPass">
</form>
<input name="tfUName" type="text" id="tfUName">
<input name="tfUPass" type="password" id="tfUPass">
</form>
The
easiest way for the login.asp to work is by building a database query that
looks like this:
SELECT
id
FROM logins
WHERE username = '$username'
AND password = '$password’
FROM logins
WHERE username = '$username'
AND password = '$password’
If
the variables $username and $password are requested directly from the user's
input, this can easily be compromised. Suppose that we gave "Joe" as
a username and that the following string was provided as a password: anything'
OR 'x'='x
SELECT
id
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'
As
the inputs of the web application are not properly sanitised, the use of the
single quotes has turned the WHERE SQL command into a two-component clause.
The
'x'='x' part guarantees to be true regardless of what the first part contains.
This
will allow the attacker to bypass the login form without actually knowing a
valid username / password combination!
Preventing SQL injection
To
protect against SQL injection, user input must not directly be embedded in SQL
statements. Instead, parameterized statements must be used (preferred), or
user input must be carefully escaped or filtered.
Parameterized statements
With
most development platforms, parameterized statements can be used that work
with parameters (sometimes called placeholders or bind variables) instead
of embedding user input in the statement.
In many cases, the SQL statement
is fixed. The user input is then assigned (bound) to a parameter.
This
is an example using Java and the JDBC API:
PreparedStatement
prep = conn.prepareStatement("SELECT * FROM
USERS
WHERE USERNAME=? AND PASSWORD=?");
prep.setString(1,
username);
prep.setString(2,
password);
prep.executeQuery();
Similarly,
in C#:
using
(SqlCommand myCommand = new SqlCommand("SELECT * FROM
USERS
WHERE USERNAME=@username AND
PASSWORD=HASHBYTES('SHA1',
@password)",
myConnection))
{
myCommand.Parameters.AddWithValue("@username",
user);
myCommand.Parameters.AddWithValue("@password",
pass);
myConnection.Open();
SqlDataReader
myReader = myCommand.ExecuteReader())
...................
}
In
PHP :
$db
= new PDO('pgsql:dbname=database');
$stmt
= $db->prepare("SELECT priv FROM testUsers WHERE
username=:username
AND password=:password");
$stmt->bindParam(':username',
$user);
$stmt->bindParam(':password',
$pass);
$stmt->execute();
There
are also vendor-specific methods; for instance, using the mysqli[6] extension
for MySQL 4.1 and above to create parameterized statements:
$db
= new mysqli("localhost", "user", "pass",
"database");
$stmt
= $db -> prepare("SELECT priv FROM testUsers WHERE
username=?
AND password=?");
$stmt
-> bind_param("ss", $user, $pass);
$stmt
-> execute();
Escaping
A
straight-forward, though error-prone, way to prevent injections is to escape dangerous
characters.
One of the reasons for it being error prone is that it is a type
of blacklist which is less robust than a whitelist.
For instance, every occurrence
of a single quote (') in a parameter must be replaced by two single quotes
('') to form a valid SQL string literal.
In PHP, for example, it is usual to escape
parameters using the function mysql_real_escape_string before
sending
the SQL query:
$query
= sprintf("SELECT * FROM Users where UserName='%s' and
Password='%s'",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);
By,
Shweta Jogi
Enjoy every moment of you life...
No comments:
Post a Comment