Prevent yourself from SQL Injection Attacks!!
Hi Guys,
"This Thread is for Educational purpose only" (The examples given here are very basic... all websites are well protected from these types of simple SQL injection attacks 😉, anyways I have to put this line to warn you anyway:sshhh😀
Database security is a huge issue. Having your database compromised is about the worst thing that can happen to a web developer; especially if it contains sensitive user information (passwords, credit card numbers, e-mail addresses etc.). Even if you store your confidential data securely, you don’t want anything to be accessible to anyone but yourself. SQL injection attacks are a common vulnerability that many beginning programmers fall victim to. So CE takes you into the SQL injection attacks and prevention methods, so here we go.....
What is SQL Injection?
SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn't properly filter out dangerous characters. This can allow an attacker to not only steal data from your database, but also modify and delete it. Certain SQL Servers such as Microsoft SQL Server contain Stored and Extended Procedures (database server functions). If an attacker can obtain access to these Procedures it may be possible to compromise the entire machine. Attackers commonly insert single qoutes into a URL's query string, or into a forms input field to test for SQL Injection. If an attacker receives an error message like the one below there is a good chance that the application is vulnerable to SQL Injection.
In PHP/MySQL, an SQL injection attack is performed by submitting a particular string through a form that causes your SQL query to behave differently than expected. For example, say you have a login form that checks a username/password combination with a database using a simple SQL query:
The query then becomes:
This is a very basic version of an SQL injection attack but it gives a good illustration of how it works. You’d be surprised how often this works due to poor code implementation.
Other variations of strings used for SQL injection is as follows:
Setting Maxlength:
The first method I’ll discuss is ineffective but is often suggested. That is setting a maxlength on an input field to disallow users from entering long complex SQL injection attacks. Setting the maxlength attribute on an HTML input field is merely a small obstacle that can be easily circumvented. In fact, anything that is client side is not a solution but merely an inconvenience for an intruder. Not to mention the example in the last article comprised of a mere 8 characters!
Limit Permissions:
The database user that you use to connect to your database should not be set as the top level administrator. Instead, create a new user that contains only the permissions required by your web site. For example, if the front end of your website only reads data from the database then connect to the database with an account that only has SELECT permissions. This method is indeed useful, but with a proper attack, an intruder can create their own superuser from a simple SELECT statement as well.
Turn on Magic Quotes:
Turn on magic quotes in your PHP server settings (that’s the magic_quotes_gpc variable). What this does is automatically escape quotes and other special characters with a backslash; that way SQL won’t recognize the quote as part of the query and treat it just like any other character. This is automatically done for any HTTP request data including POST, GET and COOKIE. Because it only filters HTTP request data, magic quotes stops most but not all SQL injection attacks! Data passed into SQL statements from the database or files is not filtered and thus can be manipulated to become an SQL injection attack depending on how your site uses this data.
However, this is probably the best solution for beginners. It’s “set it and forget it” since all the work is done for you automatically. Unfortunately, if for some reason magic quotes gets turned off (a possibility with managed hosting/shared hosting), your website is suddenly at risk for an SQL injection attack. This is why you should always do some of your own dirty work 😉
Do your own Input Cleaning:
Since you can never be sure that magic quotes will stay on, you should always clean up submitted data on your own. This can be done by checking whether magic quotes is on with the get_magic_quotes_gpc() command. If it returns false, you can escape quotes and special characters manually with the simple addslashes command. It’ll look a little something like this:
More attacks and preventions to come..... so stay connected!!!!😉
-Arvind(slashfear)
"This Thread is for Educational purpose only" (The examples given here are very basic... all websites are well protected from these types of simple SQL injection attacks 😉, anyways I have to put this line to warn you anyway:sshhh😀
Database security is a huge issue. Having your database compromised is about the worst thing that can happen to a web developer; especially if it contains sensitive user information (passwords, credit card numbers, e-mail addresses etc.). Even if you store your confidential data securely, you don’t want anything to be accessible to anyone but yourself. SQL injection attacks are a common vulnerability that many beginning programmers fall victim to. So CE takes you into the SQL injection attacks and prevention methods, so here we go.....
What is SQL Injection?
SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn't properly filter out dangerous characters. This can allow an attacker to not only steal data from your database, but also modify and delete it. Certain SQL Servers such as Microsoft SQL Server contain Stored and Extended Procedures (database server functions). If an attacker can obtain access to these Procedures it may be possible to compromise the entire machine. Attackers commonly insert single qoutes into a URL's query string, or into a forms input field to test for SQL Injection. If an attacker receives an error message like the one below there is a good chance that the application is vulnerable to SQL Injection.
In PHP/MySQL, an SQL injection attack is performed by submitting a particular string through a form that causes your SQL query to behave differently than expected. For example, say you have a login form that checks a username/password combination with a database using a simple SQL query:
[B]SELECT * FROM users WHERE username = ‘$input_username‘ AND password = ‘$input_password‘[/B]where $input_username and $input_password are submitted values taken from the login form. So if there is a person with username “admin” and password “secret”, when you enter “admin” and “secret” into the login page, the query becomes:
[B]SELECT * FROM users WHERE username = ‘admin‘ AND password = ‘secret‘[/B]The query will indeed find a row with these values and thus will log the user in. The problem arises when an unauthorized user enters “admin” as the username and something like this as the password: ‘ or 1=1--
The query then becomes:
[B]“SELECT * FROM users WHERE username =’admin‘ AND password = ‘‘ OR 1=1--'[/B]This will find a matching row no matter what the username is. The single quote entered as part of the password is added into the query statement and is treated as a closing single quote as opposed to being part of the password. And since 1=1 is always true, your unauthorized user is now logged in as “admin” without knowing the password. (-- is single line comment, so will comment the last ')
This is a very basic version of an SQL injection attack but it gives a good illustration of how it works. You’d be surprised how often this works due to poor code implementation.
Other variations of strings used for SQL injection is as follows:
[B]admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a [/B]
Preventing your website from these type of SQL injection:Setting Maxlength:
The first method I’ll discuss is ineffective but is often suggested. That is setting a maxlength on an input field to disallow users from entering long complex SQL injection attacks. Setting the maxlength attribute on an HTML input field is merely a small obstacle that can be easily circumvented. In fact, anything that is client side is not a solution but merely an inconvenience for an intruder. Not to mention the example in the last article comprised of a mere 8 characters!
Limit Permissions:
The database user that you use to connect to your database should not be set as the top level administrator. Instead, create a new user that contains only the permissions required by your web site. For example, if the front end of your website only reads data from the database then connect to the database with an account that only has SELECT permissions. This method is indeed useful, but with a proper attack, an intruder can create their own superuser from a simple SELECT statement as well.
Turn on Magic Quotes:
Turn on magic quotes in your PHP server settings (that’s the magic_quotes_gpc variable). What this does is automatically escape quotes and other special characters with a backslash; that way SQL won’t recognize the quote as part of the query and treat it just like any other character. This is automatically done for any HTTP request data including POST, GET and COOKIE. Because it only filters HTTP request data, magic quotes stops most but not all SQL injection attacks! Data passed into SQL statements from the database or files is not filtered and thus can be manipulated to become an SQL injection attack depending on how your site uses this data.
However, this is probably the best solution for beginners. It’s “set it and forget it” since all the work is done for you automatically. Unfortunately, if for some reason magic quotes gets turned off (a possibility with managed hosting/shared hosting), your website is suddenly at risk for an SQL injection attack. This is why you should always do some of your own dirty work 😉
Do your own Input Cleaning:
Since you can never be sure that magic quotes will stay on, you should always clean up submitted data on your own. This can be done by checking whether magic quotes is on with the get_magic_quotes_gpc() command. If it returns false, you can escape quotes and special characters manually with the simple addslashes command. It’ll look a little something like this:
[B]$username = $_POST['username'];
$password = $_POST['password'];
if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
$password = addslashes($password);
}[/B]
Another method is to assume magic quotes is always off and do your own cleaning for everything. Harry Fuecks from SitePoint came up with this little piece of code to strip any slashes added by magic quotes if it is on. This way you have a guarantee that all data you work with is untouched by magic quotes.
[B]if (get_magic_quotes_gpc()) {
$_REQUEST = array_map(’stripslashes’, $_REQUEST);
$_GET = array_map(’stripslashes’, $_GET);
$_POST = array_map(’stripslashes’, $_POST);
$_COOKIE = array_map(’stripslashes’, $_COOKIE); }[/B]
The best method of all is a combination of all the solutions above. If nothing, make sure you understand how magic quotes work instead of simply taking it for granted because one day it will get turned off and you’ll be screwed! Magic quotes is your friend but remember, it doesn’t prevent all SQL injection attacks. So to be really secure, it is best to do your own cleaning, assuming you do it properly that is!More attacks and preventions to come..... so stay connected!!!!😉
-Arvind(slashfear)
0
