SQL Injection

What is an SQL Injection Attack?

The notorious SQL Injection vulnerability is among the most critical security vulnerabilities, considering the ease and impact of exploitation. This type of vulnerability is mostly found in legacy applications, thanks to the advent of ORM’s and better database libraries.

SQL Injection vulnerabilities are found where non-sanitized user input is used in conjunction with database queries. Guessing the SQL query being used for a certain operation, the attacker inserts SQL code into the input, causing the database to execute the attacker’s code, rather than what was intended by the application.

The attacker can exploit this vulnerability to gain access to critical data or to cause severe damage and data loss.

An Example of a Vulnerability

In this example, a web site allows users to sign in and communicate with their friends. The user credentials are stored in a database table named users, with three columns: id, email and password.

On the sign in page, a form with input fields for the user’s email address and password is available. The form sends the sign in request to a page with the following code:

<?php
$email = $_POST['email'];
$password = md5($_POST['password']);
$query  = "SELECT * FROM users WHERE email = '$email' AND password = '$password';";
$result = pg_query($conn, $query);

An attacker may use the email field on the sign in page to prematurely end the query intended by the application and append their own query to be executed afterwards.

By entering the following email address, the attacker will cause all users of the website to be removed: bob@gmail.com'; DROP TABLE users; --.

This happens because the email address is inserted directly into the query string without any kind of sanitization of special characters etc. The actual query executed by the database looks like this: SELECT * FROM users WHERE email = 'bob@gmail.com'; DROP TABLE users; --' AND password = '';

The double-dashes at the end of the input marks a comment, causing the database not to evaluate anything succeeding the comment marks.

This vulnerability can be exploited in many other conceivable ways to either change the password of another user, gain administrator priveleges, extract sensitive data etc.

How To Defend Against SQL Injection Attacks

As a general rule, all communication with SQL databases from the application should be happening through a library that takes care of sanitizing user input before passing it into a database query.

This also implies correct usage of the database library and never circumventing the database library by building queries with user input directly using crude string concatenation.

A code security review is the best way to ensure that all parts of the application adhere to these guidelines.

More useful information may be found at:

Let Us Review Your Software

We provide code security reviews as a service. Based on our extensive experience in the field of sofware engineering and IT security, we know how to efficiently review entire code bases and identify security critical parts of the software.

This enables us to provide our security code review service at a fixed rate per review, providing our customers a transparent, efficient and reliable process.

Simple Pricing
  • Security review of your software by experts
  • OWASP Top 10 vulnerability check
  • Security Report with recommendations
  • Invaluable insights into the state of security in your application
  • Fixed Price per Review

    $2,500

Our code security review service is in popular demand.
Next spots are available in July 2019.