0% found this document useful (0 votes)
12 views

sql-injection

Uploaded by

Gustavo Rocha
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
12 views

sql-injection

Uploaded by

Gustavo Rocha
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

SQL injection

Server-side data
Client Server

Browser Web server

Long-lived state, stored


(Private)
in a separate database
Data
Database

Need to protect this


state from illicit access
and tampering
Server-side data
• Typically want ACID transactions
• Atomicity!
- Transactions complete entirely or not at all
• Consistency!
- The database is always in a valid state
• Isolation!
- Results from a transaction aren’t visible until it is complete
• Durability
- Once a transaction is committed, its effects persist despite, e.g.,
power failures

• Database Management Systems (DBMSes)


provide these properties (and then some)
SQL (Standard Query Language)
Table
Users Table name
Name Gender Age Email Password

Dee F 28 [email protected] j3i8g8ha

Mac M 7 [email protected] a0u23bt


Row!
Charlie M 32 [email protected]
[email protected] 0aergja
(Record)
Dennis M 28 [email protected] 1bjb9a93

Frank M 57 [email protected] ziog9gga

Column
SELECT Age FROM Users WHERE Name=‘Dee’; 28
UPDATE Users SET email=‘[email protected]
WHERE Age=32; -- this is a comment
INSERT INTO Users Values(‘Frank’, ‘M’, 57, ...);
DROP TABLE Users;
Server-side code
Website

“Login code” (PHP)


$result = mysql_query(“select * from Users!
where(name=‘$user’ and password=‘$pass’);”);

Suppose you successfully log in as $user


if this returns any results

How could you exploit this?


SQL injection

frank’ OR 1=1); --

$result = mysql_query(“select * from Users!


where(name=‘$user’ and password=‘$pass’);”);

$result = mysql_query(“select * from Users!


where(name=‘frank’ OR 1=1); --!
! ! ! and password=‘whocares’);”);
SQL injection

frank’ OR 1=1); DROP TABLE Users; --

$result = mysql_query(“select * from Users!


where(name=‘$user’ and password=‘$pass’);”);

$result = mysql_query(“select * from Users!


where(name=‘frank’ OR 1=1);!
DROP TABLE Users; --!
! ! ! and password=‘whocares’);”);

Can chain together statements with semicolon:


STATEMENT 1 ; STATEMENT 2
SQL injection attacks are common

20

15 % of vulnerabilities that
are SQL injection
10

0
02

03

04

05

06

07

08

09

10

11

12

13

14
20

20

20

20

20

20

20

20

20

20

20

20

20
http://web.nvd.nist.gov/view/vuln/statistics
http://xkcd.com/327/

You might also like