Databases and Website Security
Databases and Website Security
Website
Security
J. Kasiroori
• The SQL injection attack typically works by prematurely terminating a text string and
appending a new command.
• Example SQL injection, suppose you have an SQL statement which says:
• You have a script to select users based on a certain mark for 4th years:
• SELECT student, mark FROM marks WHERE term_mark = t_mark AND year = 4;
• You expect the user to give you the mark they want for your visualisation.
• But user provides this for t_mark = “> 1; --”
• This essentially presents the attacker with ALL the marks in the table and uses a
comment to render the rest of the statement invalid.
• I have seen code like this:
SELECT * FROM users WHERE username = ‘{username}’ AND password =
‘{password}’”
This is a blank cheque
SELECT * FROM users WHERE username = ‘admin’ – ‘ AND password = ‘anything’;
Protections
Against Attacks
Use prepared statements
%s is the placeholder for the parameters (in this case, the username and
password).
User inputs are treated as data not as part of the SQL query itself