Learn About SQL Injection Attacks

Learn About SQL Injection Attacks

Learn how attackers inject into SQL queries and how you can prevent it. SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. SQL injections allow attacker code to change the structure of your application’s SQL queries to steal data, modify data, or potentially execute arbitrary commands in the underlying operating system.

Let’s talk about one of the most severe vulnerabilities that can happen to your application: SQL injections.

SQL injections allow attacker code to change the structure of your application’s SQL queries to steal data, modify data, or potentially execute arbitrary commands in the underlying operating system.

For example, let’s say that your web application’s database contains a table called Users. This table contains three columns: Id, Username, and Password, which respectively contain the user ID, username, and password of each registered user.

table with columns headed ID, username, and password, showing three rows of sample data

And on your website, you prompt your users for their username and password.

example of a log in screen that has the words “Welcome! Log in here!” above empty dialog boxes for username and password

The username and password that the user submits will be inserted into a SQL query to log the user in. For example, if the user were to enter the username “user” and the password “password123,” this SQL query will be executed to find a user's ID with the matching Username and Password. Your application will then log in the user with that user ID.

SELECT Id FROM Users

WHERE Username='user' AND Password='password123';

SQL Injection Attacks

So what is the problem here? The issue here is that attackers can insert characters special to the SQL language to mess with the query's logic, thereby executing arbitrary SQL code. For example, what if an attacker submits this string as their username?

username="admin'; —- "&password=""

The SQL query generated would become:

SELECT Id FROM Users

WHERE Username='admin'; —- AND Password='';

The - - sequence denotes the start of a SQL comment. By adding - - into the username part of the query, the attacker comments out the rest of the SQL query. The query will effectively become:

SELECT Id FROM Users WHERE Username='admin';

This query will return the admin user’s ID, regardless of the password provided by the attacker. By injecting into the SQL query, the attacker bypassed authentication and can log in as the admin without knowing the correct password! And this is what SQL injection is: By injecting special characters and changing the SQL query structure, attackers can cause the database to execute unintended SQL code.

Exploiting SQL Injections

Authentication bypasses are not the only thing that attackers can achieve with a SQL injection vulnerability. They might also be able to retrieve data from the server that they should not be allowed to access.

Let’s say your website allows users to access a list of their emails by providing the server a username and access key to prove their identity.

username="vickie"&accesskey="ZB6w0YLjzvAVmp6zvr"

For example, this request would generate a query to the database with this SQL statement.

SELECT Title, Body FROM Emails

WHERE Username='vickie' AND AccessKey='ZB6w0YLjzvAVmp6zvr';

In this case, attackers can utilize the SQL query to read data from other tables that they should not read by submitting this access key.

username="vickie"&accesskey="ZB6w0YLjzvAVmp6zvr' UNION SELECT Username, Password FROM Users; —- "

Let’s break this payload down a bit. If an attacker sends the above access key to the server, the server will execute this SQL query.

SELECT Title, Body FROM Emails

WHERE Username='vickie' AND AccessKey='ZB6w0YLjzvAVmp6zvr'
UNION SELECT Username, Password FROM Users; —- ;

The SQL UNION operator is used to combine the results of two different SELECT statements. This query combines the results of the first SELECT statement, which is the user’s emails, and the second SELECT statement, which returns all usernames and passwords from the Users table. And now, the attacker can read all users’ usernames and passwords stored within the database!

SELECT Title, Body FROM Emails

WHERE Username='vickie' AND AccessKey='ZB6w0YLjzvAVmp6zvr'
UNION SELECT Username, Password FROM Users; —- ;

More Than SELECT Statements

SQL injection is not just limited to SELECT statements. Attackers can also inject into UPDATE statements used to update a record, DELETE statements used to delete existing records, and INSERT statements used to create new entries in a table. For example, let’s say that users can change their passwords by providing a new password in an HTTP form.

new_password="password12345"

The form would cause the server to execute a SQL UPDATE query with the new password for the currently logged-in user. Which in this case, is the user with user ID 2.

UPDATE Users

SET Password='password12345'
WHERE Id = 2;

Attackers can control the SET clause of the UPDATE statement. So what if they submit a new password like this one?

new_password="password12345'; —- "

This request will cause the UPDATE SQL query to become:

UPDATE Users

SET Password='password12345'; —- 
WHERE Id = 2;

The WHERE clause in this query is commented out, so the query would change all of the passwords in the Users table to “password12345.” The attacker can now log in as anyone using the password “password12345.”

sql hacking security developer

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Introduction to Structured Query Language SQL pdf

SQL stands for Structured Query Language. SQL is a scripting language expected to store, control, and inquiry information put away in social databases. The main manifestation of SQL showed up in 1974, when a gathering in IBM built up the principal model of a social database. The primary business social database was discharged by Relational Software later turning out to be Oracle.

50+ Useful Kubernetes Tools for 2020 - Part 2

Our original Kubernetes tool list was so popular that we've curated another great list of tools to help you improve your functionality with the platform.

Best Custom Web & Mobile App Development Company

Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots

How long does it take to develop/build an app?

This article covers A-Z about the mobile and web app development process and answers your question on how long does it take to develop/build an app.

Developer Career Path: To Become a Team Lead or Stay a Developer?

For a developer, becoming a team leader can be a trap or open up opportunities for creating software. Two years ago, when I was a developer, ... by Oleg Sklyarov, Fullstack Developer at Skyeng company