March 21, 2006

SQL Injection

SQL injection is a security vulnerability occurring in the database layer of an application. Its source is the incorrect escaping of dynamically-generated strings embedded in SQL statements. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

For example, here is a sample basic HTML form with two inputs, username and password.

The easiest way for the login.php to work is by building a database query that looks like this:
FROM logins
WHERE username = '$username'
AND password = '$password'";
If the variables $username and $password are requested directly from the user's input without checking for special characters, this can easily be compromised. Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'";
Because the application is not really thinking about the query, but just constructing a string, the use of the single quotes has turned the WHERE into a two-component clause. The 'x'='x' part will be true no matter what the first part contains.

This could allow the attacker to bypass the login form without actually knowing a valid username / password combination!

For some reported cases of SQL Injection exposure in the wild, see:
See also:

This article originally appeared in my blog: All Things Quality
My name is Joe Strazzere and I'm currently a Director of Quality Assurance.
I like to lead, to test, and occasionally to write about leading and testing.
Find me at

No comments:

Post a Comment