In this following post we will discus why applications are vulnerable to SQL injection. If you don’t have previous knowledge of SQL please have a look on previous post about SQL injection basics. The reason most of the web applications are vulnerable to SQL injections is that developers forget to sanitize input and let SQL statements and queries pass to database directly. Web technologies used for web application development also plays an important role in making an application vulnerable. For example all script based languages used for creating dynamic contents like ASP, ASP.NET, PHP, JSP, C# and CGI are vulnerable to SQL injection attacks if input is not handled properly. Honestly speaking this post will be more understandable to those only who have real time experience at least for once creating web applications using any of the above development tools.
Now how an application becomes vulnerable and what is improper SQL query handling. So let’s learn from an example,
select * from website where name = ‘XTRA WEB’;
Above statement will list all entries in database where name is “XTRA WEB”. Carefully notice how ‘XTRA WEB’ is encapsulated in single and balanced apostrophe. Now consider following statement,
select * from website where name = ‘XTR’A WEB’;
Notice variation in passed values in both statements, in first statement it’s XTRA and in second it is XTR’A. According to standard SQL queries first statement is correct and perfect whereas second is not because apostrophe is not balanced. Now when you’ll pass second statement to SQL command shell it’ll return with standard error like following,
Incorrect Syntax near ‘WEB’
Server: Related message
Unclosed quotation mark before the character string ‘
If you get message like above then its sure application developer hasn’t handled SQL queries via API and passed it directly to database. This is also known as improper SQL query handling or just improper query handling. The main reason if any web application is vulnerable to SQL injection is improper query handling.
Now how this can help an attacker perform SQL injection? If you are web developer or if you have been one someday then you might remember that when you create a dynamic website using heavy use of scripts then URL may remain static no matter how many clicks you perform to navigate several pages. You already know that link does exit in page but they don’t appear to a normal user but are accessible if you right click and copy it. And those copied links are not accessible to normal user because it holds a pre-generated value in it but if attacker gets that link it can submit his/her own value instead the predefined one. Also an input is taken from user via text input filed where an attacker can also input standard SQL query. For example if an input box asks for name of blog for retrieving other information related to that blog you can pass a SQL query along with it, so rather than inputting XTRA WEB you can also input XTR’A WEB OR 1=1–. Which is valid SQL statement since XTR’A OR 1=1– will turn into
select * from website where name = ‘XTR’A WEB’ OR 1=1–’;
if input is not sanitized properly and passed directly to database. For those who are new to SQL and web development will find little hard to understand this post but don’t worry when you’ll be reading next part of this post you’ll not find it more difficult.