Jan
28
2011

Understanding the Sql Injection Attack

By admin

No Comments

917 views

Search by Google

When you use information from an outside source to build your SQL Query, you may be vulnerable to SQL Injection attacks. The hacker may manipulate thr SQL Queries, changing it into a query that may affect your website. For example he may build a new sql query and get your admin password very easy.

When you using unchecked data from a form to build your SQL Queries you give to the hackers gold opportunity to exploit your application. In that way he can create an sql statement that serves his purposes. For example if you use the following code for user login:

$user = $_POST[‘user_id’];

$password = $_POST[‘password’];

$sql = “SELECT COUNT(*) FROM arthackers_users

WHERE user_id=’$user’ and password=’$password’”;

In this query your database return any count higher than 0, the user ID and the password for his user id. In this case, the data entered into the form by the users is used without any checking. The hacked may add the following code into the form:

‘ or 1=1 –

SELECT COUNT(*) FROM arthackers_users WHERE user_id=’’ or 1=1 –

and password=’$password’

This query will always return a count higher than 1 because 1=1 is always true. the — makes the rest of the query into a comment, which is ignored by SQL and the user is logged in.

The hackers may using multiple queries for damage your application. Many SQL clients allows many queries to be executed at a time, separated by a semicolon “ ; “ . So the hacker may be able to manipulate your sql queries and insert malicious code.

One measure to protect your database is to escape the quotes in any information. Magic quotes: A setting in your php.ini file that is turned on by default. The addslashes function: A PHP function that escapes quotes. A matching stripslashes function removes the slashes when needed, such as when you want to display the information on the Web page, without displaying a bunch of ugly slashes.