Home Accessibility Courses Diary The Mouth Facebook Resources Site Map About Us Contact
What is an SQL injection attack?

It's where an unauthorised user enters illegal data that gets placed into an SQL command, with the purpose of changing the meaning of that SQL command. For example, you might use the SQL query
   SELECT count(id) FROM user where uname = "xxxxxx" and pword = "yyyyy"
to validate a user name and password pair when someone logs in to your application, replacing the xxxxxx and yyyyy with the information the person enters on a form. In testing, that will work fine for you, but if your user were to complete the form so that:
   xxxxxx becomes hack" or 1 = 1 -- "
   yyyyy becomes anything
then returned values will be greater than 0 ... probably allowing an unauthorised login.

How come there's this problem? This is what the command that's run has become:
   SELECT count(id) FROM user where uname = "hack" or 1 = 1 -- "" and pword = "anything"
Anything after the -- sign is treated by most SQL engines as a comment (so the password is unchecked) and every line will match because 1 always equals 1!

Can you prevent this problem in your applications? Yes, absolutely, if you know of the potential problems and do something to avoid them. This isn't going to be a complete paper on SQL security, but you'll do well to start by \ protecting any " and ' characters that the user enters ... that way, your query will say "literally a " " or "literally a ' " rather than anything more dangerous.
(written 2005-08-02, updated 2006-06-05)

 
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
S161 - Data Access and Security in MySQL
  [3270] SQL - Data v Metadata, and the various stages of data selection - (2011-04-29)
  [2647] Removing duplicates from a MySQL table - (2010-02-22)
  [2263] Mysqldump fails as a cron job - a work around - (2009-06-30)
  [2204] Images in a database? How big is a database? (MySQL) - (2009-05-28)
  [1131] MySQL - Password security (authentication protocol) - (2007-04-02)
  [947] What is an SQL injection attack? - (2006-11-27)
  [647] Checking for MySQL errors - (2006-03-15)
  [535] MySQL permissions and privileges - (2005-12-20)
  [193] The wrong MySQL - (2005-01-29)
  [192] Current MySQL and PHP paths and upgrades - (2005-01-28)


Back to
New in the shops
Previous and next
or
Horse's mouth home
Forward to
Netless
Some other Articles
Horse's Mouth is a year old
How to check that a string contains a number in Tcl
Full circle - made it back to an old haunt
Netless
What is an SQL injection attack?
New in the shops
simplicity hides real size
Training course material - why we write our own
Where now for dial-up providers?
The next technologies
4280 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86 at 50 posts per page


This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2014: Well House Manor • 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • FAX: 01144 1225 899360 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/401_What ... tack-.html • PAGE BUILT: Sun Mar 30 15:20:58 2014 • BUILD SYSTEM: WomanWithCat