1 / 11

SQL Injection

By Bart Carroll. SQL Injection. Main Points. What is SQL injection? How is it done? Examples How to prevent it. What Is SQL Injection?. A way of exploiting input fields in a program to display or drop tables or fields from a database.

alena
Download Presentation

SQL Injection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. By Bart Carroll SQL Injection

  2. Main Points • What is SQL injection? • How is it done? • Examples • How to prevent it

  3. What Is SQL Injection? • A way of exploiting input fields in a program to display or drop tables or fields from a database. • One of the most dangerous and preventable database exploits.

  4. How It Is Done • Assume table and field names • Assume a statement based on a user input field. • Example statement where userName is user supplied input: Statement= "SELECT * FROM users WHERE name = '" + userName + "';"

  5. How It Is Done • Construct a malicious SQL Statement for the userName Parameter: • Put statement into input field. • Resulting Statement sent to database: • userName = “a'; DROP TABLE users; SELECT * FROM data WHERE name LIKE '%" SELECT * FROM users WHERE name = 'a'; DROP TABLE users; SELECT * FROM data WHERE name LIKE '%';

  6. Result • The User Table has now been dropped.

  7. Protection • Use Prepared Statements Instead of standard JDBC Statements (for Java). • Use Blind variables. • Use input validation to strip input of database characters. • Restrict Function access from PUBLIC to PRIVATE • Don't display error messages that tell everything about the database.

  8. JSP Oracle Example <%@ page import="org.alumnidb.beans.DbManage" %> <%@ page import="java.sql.*" %> <% if(!request.getMethod().equals("POST")){ %> <html> <head><title>SQL INJECTION EXAMPLE</title></head> <body> <form action="sqlInject.jsp" method=POST> Please enter your userName and password:<br> User:<input type="text" name=userName><br> Pass:<input type="text" name="password"><br> <input type="submit" value="submit"> </form> </body> </html> <% } %> <% if(request.getMethod().equals("POST")){ DbManage d = new DbManage(); Connection con = d.makeConnection(); String userName = request.getParameter("userName"); String password = request.getParameter("password"); Statement stmt = con.createStatement(); ResultSet rs = stmt.executeQuery("SELECT * FROM Users WHERE userName = '" + userName + "' AND pass = '" + password + "'"); %> <html> <head><title>RESULT</title></head> <body> <b>Statement</b> = <% out.println("SELECT * from Users where userName = '" + userName + "'");%><br><br> <% while(rs.next()){ out.println("userName: " + rs.getString(2) + "<br>"); out.println("passWord: " + rs.getString(3) + "<br>"); }%> </body> </html> <% con.close(); stmt.close(); rs.close(); } %>

  9. Non-Vulnerable Version <%@ page import="org.alumnidb.beans.DbManage" %> <%@ page import="java.sql.*" %> <% if(!request.getMethod().equals("POST")){ %> <html> <head><title>SQL INJECTION EXAMPLE</title></head> <body> <form action="sqlInject2.jsp" method=POST> Please enter your userName and password:<br> User:<input type="text" name=userName><br> Pass:<input type="text" name="password"><br> <input type="submit" value="submit"> </form> </body> </html> <% } %> <% if(request.getMethod().equals("POST")){ DbManage d = new DbManage(); Connection con = d.makeConnection(); String userName = request.getParameter("userName"); String password = request.getParameter("password"); String query = "SELECT * FROM Users WHERE userName = ? and pass= ?"; PreparedStatement stmt = con.prepareStatement(query); stmt.setString(1, userName); stmt.setString(2, password); ResultSet rs = stmt.executeQuery(); %> <html> <head><title>RESULT</title></head> <body> <b>Statement</b> = <% out.println("SELECT * from Users where userName = '" + userName + "'");%><br><br> <% while(rs.next()){ out.println("userName: " + rs.getString(2) + "<br>"); out.println("passWord: " + rs.getString(3) + "<br>"); }%> </body> </html> <% con.close(); stmt.close(); rs.close(); } %>

  10. Sources • SQL Attacks By Example, Jan. 13 2005, <http://www.unixwiz.net/techtips/sql-injection.html> • Kost, Stephen, “An introduction to SQL injection Attacks for Oracle Developers”,2004 Integrity Corporation • Wikipedia.com, “SQL Injecton”, Nov. 16 2005, <http://en.wikipedia.org/wiki/Sql_injection> • McDonald, Stuart, “SQL Injection: Modes of Attack, Defense, and Why It Matters”, <http://www.governmentsecurity.org/articles/SQLInjectionModesofAttackDefenceandWhyItMatters.php>

  11. ?'s

More Related