What is a SQL injection and how to fix it ?
What is a SQL injection?
SQL injection is a technique where malicious users try to “inject” his harmful/malicious SQL code into someone else’s database, and force that database to run his SQL. This could potentially ruin their database tables, and even extract valuable or private information from their database tables.
In simple word – An SQL Injection can destroy your database.
So how do users/hackers do this? Best way to show with an example.
Example of SQL injection
1) Based on 1=1 is always true
Let’s say that the original purpose of the code was to create an SQL statement to select a user with a given user id.
If there is nothing to prevent a user from entering “wrong” input, the user can enter some “smart” input like this:
SELECT * FROM Users WHERE UserId = 105 or 1=1
The SQL above is valid. It will return all rows from the table Users, since WHERE 1=1 is always true.
Does the example above seem dangerous? What if the Users’ table contains names and passwords?
A smart hacker might get access to all the user names and passwords in a database by simply inserting 105 or 1=1 into the input box.
2) Based on “”=”” is always true
sql = "SELECT * FROM Users WHERE Name ='" + uName + "' AND Pass ='" + uPass + "'"
A smart hacker might get access to user names and passwords in a database by simply inserting ” or “”=” into the user name or password text box.
SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""
The result SQL is valid. It will return all rows from the table Users, since WHERE “”=”” is always true.
3) Based on Batched SQL Statements
Most databases support batched SQL statement, separated by semicolon.
The code at the server would create a valid SQL statement like this:
SELECT * FROM Users WHERE UserId = 110; DROP TABLE Suppliers -- Boom! Table dropped
The SQL above is valid.It will delete table Suppliers.
How to prevent a SQl injection
1) Filter Input- Stop believing your user. The biggest threat to the application is from its users. Users need not be well mannered and obedient as you are expecting. Some users have really bad intentions and some simply try to test their hacking skills. Whatever code you are going to write, write it using the best practices and consider the security aspects of it. Validate every field in the form
2) Use database wrapper classes or PDO –
Database wrappers or PDO (in PHP) can reduce the risk of direct access of the input values to the database.
Prepared statements can be used along with PDO as shown below.
$stmt = $conn->prepare("INSERT INTO tbl_user VALUES(:id, :name)");
$stmt->bindValue(':id', $id);
$stmt->bindValue(':name', $name);
$stmt->execute();
CodePlateau Technology Solutions is a professional website development company in Pune, India. User privacy is of paramount importance in todays environment. Having hackers be able to steal you data is a serious NO-NO! For Safe and Securely developed Website Development get in touch with CodePlateau today.