Testing the Security of Your Website – Part 3
SQL Injection
Contents
SQL injection is a security flaw where the hacker is able to access your database by manipulating the script’s variables. This kind of access can be used to add new contents to your database, change the existing contents, to delete your database, or to gain access to your system’s control panel.
To understand how this is possible, let’s see the basics of how scripts get data from variables present on the URL and how the values from these variables can then be used to access the database.
Assuming you have an URL such as https://www.yoursite.com/article.php?id=12345, this means it will pass to the script “article.php” a variable named “id” with the value “12345.”
Now, inside this script, it will use this variable to access the database, using a query such as:
SELECT title,content FROM articles WHERE id=$id;
This query instructs the database to pull the contents of the rows “title” and “content” from the table “articles” where the “id” row equals to the value passed through the variable “$id”. Using the URL we gave as an example, with this query you will pull the title and contents of the article number 12345.
But, what if a hacker manipulates the value of the variable “$id?” If a hacker changes the URL to something like:
https://www.yoursite.com/article.php?id=12345;DELETE%20FROM%20articles
The query that will be sent to the database will be:
SELECT title,content FROM articles WHERE id=12345;DELETE FROM articles
And guess what? The table “articles” will be deleted.
The most common form of SQL injection is to gain access to the website’s control panel.
Assuming that the hacker found a login screen asking for a user and a password, and that the user name and password are inserted in a query such as:
SELECT * FROM users WHERE login= ‘$login ‘ AND password= ‘$password ‘;
Now, assume that the hacker simply typed in 1′ OR ‘1’ = ‘1 as login and 1’ OR ‘1’ = ‘1 as password. These values create the following query:
SELECT * FROM users WHERE login=’1′ OR ‘1’ = ‘1’ AND password= ‘1’ OR ‘1’ = ‘1’;
Because of the logic added (OR ‘1’=’1′), the query will always be executed regardless of the login and password entered, allowing the hacker to access the data or control panel that was supposedly protected with a password.
There are some basic procedures that protect scripts against SQL injections. Let’s talk about them.