Scribd
Upload
34 views10 pages

SQL Injection

Uploaded by

Gustavo Rocha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
34 views10 pages

SQL Injection

Uploaded by

Gustavo Rocha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

SQL injection

Server-side data
Client Server

Browser Web server

Long-lived state, stored


(Private)
in a separate database
Data
Database

Need to protect this


state from illicit access
and tampering
Server-side data
• Typically want ACID transactions
• Atomicity!
- Transactions complete entirely or not at all
• Consistency!
- The database is always in a valid state
• Isolation!
- Results from a transaction aren’t visible until it is complete
• Durability
- Once a transaction is committed, its effects persist despite, e.g.,
power failures

• Database Management Systems (DBMSes)


provide these properties (and then some)
SQL (Standard Query Language)
Table
Users Table name
Name Gender Age Email Password

Dee F 28 [email protected] j3i8g8ha

Mac M 7 [email protected] a0u23bt


Row!
Charlie M 32 [email protected]
[email protected] 0aergja
(Record)
Dennis M 28 [email protected] 1bjb9a93

Frank M 57 [email protected] ziog9gga

Column
SELECT Age FROM Users WHERE Name=‘Dee’; 28
UPDATE Users SET email=‘[email protected]
WHERE Age=32; -- this is a comment
INSERT INTO Users Values(‘Frank’, ‘M’, 57, ...);
DROP TABLE Users;
Server-side code
Website

“Login code” (PHP)


$result = mysql_query(“select * from Users!
where(name=‘$user’ and password=‘$pass’);”);

Suppose you successfully log in as $user


if this returns any results

How could you exploit this?


SQL injection

frank’ OR 1=1); --

$result = mysql_query(“select * from Users!


where(name=‘$user’ and password=‘$pass’);”);

$result = mysql_query(“select * from Users!


where(name=‘frank’ OR 1=1); --!
! ! ! and password=‘whocares’);”);
SQL injection

frank’ OR 1=1); DROP TABLE Users; --

$result = mysql_query(“select * from Users!


where(name=‘$user’ and password=‘$pass’);”);

$result = mysql_query(“select * from Users!


where(name=‘frank’ OR 1=1);!
DROP TABLE Users; --!
! ! ! and password=‘whocares’);”);

Can chain together statements with semicolon:


STATEMENT 1 ; STATEMENT 2
SQL injection attacks are common

20

15 % of vulnerabilities that
are SQL injection
10

0
02

03

04

05

06

07

08

09

10

11

12

13

14
20

20

20

20

20

20

20

20

20

20

20

20

20
http://web.nvd.nist.gov/view/vuln/statistics
http://xkcd.com/327/

You might also like