SQL Injection is one of the most common security threats on the web. Here I will try to explain in detail this type of disability with examples of bugs in PHP and possible solutions.
If you are not very confident about programming languages and web technologies you may be wondering what SQL is all about. Well, it is an abbreviation for Structured Query Language (pronounced "sequel"). "De facto" is the common language for accessing and deciphering data on a website.
Today many websites rely on a website (usually MySQL) to store and access data.
Our example will be a standard login form. Internet users see these forms of daily login, enter your username and password and the server scans the information you provided. Okay, that's easy, but what really happens to the server when checking your information?
The client (or user) sends the server two strings, the username and password.
Usually the server will have a website with a table where user data is stored. This table has at least two columns, the username and the password. When the server receives the username and password it will ask the website to see if the credentials provided are valid. You will use the SQL statement for what might look like:
SELECT * For users WHERE username = ’SUPPLIED_USER’ AND Password = ’SUPPLIED_PASS’
For those unfamiliar with SQL language, in SQL 'character is used as a delimiter for flexible cables. Here we use it to separate the username and password given by the user.
In this example we see that the given username and password are entered in question 'and the whole question is then used by the information engine. If the query returns any lines, then the credentials provided are valid (that user is on the website and has the provided password).
Now, what happens if a user writes ‘character’ in the username or password field? Well, by simply setting in 'username field and staying in the empty password field, the question will be:
SELECT * For users WHERE username = "'AND password ="
This can cause an error, as the database engine will consider the end of the character unit a second time and then start the analysis error in the third letter. Now let's say what would happen if we sent this input data:
Username: ‘OR‘ a ’=’ a
Password: ‘OR‘ a ’=’ a
The question will be
SELECT * For users WHERE username = ”OR‘ a ’=’ a ’AND password =” OR ‘a’ = ’a’
Since a is always equal to a, this query will return all queues from table users and the server will "assume" that we have provided valid credentials and allow it as internal - SQL injection was successful :).
Now we will see more advanced strategies. My example will be based on PHP and MySQL platform. In my MySQL database I created the following table:
CREATE TABLE users (
username VARCHAR (128),
password VARCHAR (128),
Email VARCHAR (128))
There is one line in that table with data:
username: testuser
password: check
email: [email protected]
To check the details I made the following question in PHP code:
$ query = "choose a username, password for users where username = '”. $ user. ”‘ and password =' ”. $ pass.” ‘”;
The server is also configured to print errors initiated by MySQL (this helps to correct the error, but should be avoided on the production server).
So, lastly let me show you how SQL injection works basically. Now I will show you how to do more complex questions and how to use MySQL error messages for more information about database structure.
Let's get started! So, if we just put 'character instead of username we get an error message like it'
You have an error in your SQL syntax; check the manual associated with your MySQL server version for proper syntax that you can use near “” and password = ”’ in line 1
That's because the question became
choose a username, password for users where username = ”’ and password = ”
What happens now when we try to replace a username with a character unit like 'or user =' abc?
The question becomes
choose a username, password for users where username = ”or username =’ abc ’and password =”
And this gives us a message of error
Unknown column 'user' in 'where clause'
All right! By using these error messages we can guess the columns in the table. We can try to replace the username ‘or email =’ and since we did not receive an error message, we know that an email column exists in that table. If we know the user's email address, we can now try ‘or email=’[email protected] in both usernames and passwords and our question becomes
choose a username, password for users where username = ”or email=’[email protected]’ and password = ”or email=’[email protected]’
which is a valid question and if that email address is on the table we will sign in successfully!
You can also use error messages to guess a table name. Since in SQL you can use table.column notation, you can try to replace the username ‘or user.test =’ and you will see the error message as
Unknown table 'user' when clause
Good! Let's try 'or users.test =' and we have
An anonymous column for 'users.test' in 'where the clause'
so it makes sense that there is a table called users :).
Basically, if the server is configured to provide error messages, you can use it to calculate the database structure and then you can use this information in an attack.
You must be logged in to post a comment.