March 21, 2006 - SQL Injection
SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
For example:
Here is a sample basic HTML form with two inputs, username and password.
The easiest way for the login.php to work is by building a database query that looks like this:
"SELECT id
FROM logins
WHERE username = '$username'
AND password = '$password'";
If the variables $username and $password are requested directly from the user's input without checking for special characters, this can easily be compromised. Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x
"SELECT id
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'";
Because the application is not really thinking about the query, but just constructing a string, the use of the single quotes has turned the WHERE into a two-component clause. The 'x'='x' part will be true no matter what the first part contains.
This could allow the attacker to bypass the login form without actually knowing a valid username / password combination!
For a reported cases of SQL Injection exposure in the wild, see:
See also:
| 