SHARE

SQL Injection

SQL injection is a security flaw where the hacker is able to access your database by manipulating the script’s variables. This kind of access can be used to add new contents to your database, change the existing contents, to delete your database, or to gain access to your system’s control panel.

To understand how this is possible, let’s see the basics of how scripts get data from variables present on the URL and how the values from these variables can then be used to access the database.

Assuming you have an URL such as http://www.yoursite.com/article.php?id=12345, this means it will pass to the script “article.php” a variable named “id” with the value “12345.”

Now, inside this script, it will use this variable to access the database, using a query such as:

SELECT title,content FROM articles WHERE id=$id;

This query instructs the database to pull the contents of the rows “title” and “content” from the table “articles” where the “id” row equals to the value passed through the variable “$id”. Using the URL we gave as an example, with this query you will pull the title and contents of the article number 12345.

But, what if a hacker manipulates the value of the variable “$id?” If a hacker changes the URL to something like:

http://www.yoursite.com/article.php?id=12345;DELETE%20FROM%20articles

The query that will be sent to the database will be:

SELECT title,content FROM articles WHERE id=12345;DELETE FROM articles

And guess what? The table “articles” will be deleted.

The most common form of SQL injection is to gain access to the website’s control panel.

Assuming that the hacker found a login screen asking for a user and a password, and that the user name and password are inserted in a query such as:

SELECT * FROM users WHERE login= ‘$login ‘ AND password= ‘$password ‘;

Now, assume that the hacker simply typed in 1′ OR ‘1’ = ‘1 as login and 1’ OR ‘1’ = ‘1 as password. These values create the following query:

SELECT * FROM users WHERE login=’1′ OR ‘1’ = ‘1’ AND password= ‘1’ OR ‘1’ = ‘1’;

Because of the logic added (OR ‘1’=’1′), the query will always be executed regardless of the login and password entered, allowing the hacker to access the data or control panel that was supposedly protected with a password.

There are some basic procedures that protect scripts against SQL injections. Let’s talk about them.

1
2
3

Gabriel Torres is a Brazilian best-selling ICT expert, with 24 books published. He started his online career in 1996, when he launched Clube do Hardware, which is one of the oldest and largest websites about technology in Brazil. He created Hardware Secrets in 1999 to expand his knowledge outside his home country.