Shady Blogic

My beautiful face

05/31/2015

Injection 2: The SQL

Technical Blog - Week 8

SQL injection is a code injection attack used to coerce databases to dump their contents to the attacker. One of the most common ways to accomplish this is by exploiting poorly secured user input using escape characters. Consider the following:

statement = "SELECT * FROM users WHERE name ='" + userName + "';"

The user is asked from their userName, which then gets inserted into the code and checked against the database:

statement = "SELECT * FROM users WHERE name ='" + Jacob + "';"

This would collapse the variable statement to:

statement = "SELECT * FROM users WHERE name ='Jacob';

This code checks the users database, and when the statement name='Jacob' returns true it returns that entry. But what would happen if instead of Jacob, we gave our name as:

' OR '1'='1

Well, let's see what our query looks like with that inserted.

statement = "SELECT * FROM users WHERE name ='" + ' OR '1'='1 + "';"

This collapses down to:

statement = "SELECT * FROM users WHERE name ='' OR '1'='1';

What does this mean? It means the code checks the users database like before, but now the statement it runs to check the userName reads name='' OR '1'='1'. Well, 1 ALWAYS = 1, so as it checks the entries in the users database it starts returning EVERY ENTRY. The insertion of escape characters ('') in the user input allows us to exit out of the programmed function and inject our own expression, allowing us to hijack the program. This is why it is extremely important to filter user inputs to reject things like escape characters.