SQL Injection

The overt act of entering a sql program or statement into a field that is later parsed and used to construct a sql query to a database. The intent is to instruct the database to execute a sql program or statement that allows the hacker to view, manipulate, or destroy information in the database or elevating privileges.

Types of SQL Injection

Elementary SQL Injection

This is the typical form of sql injection that seeks to append a sql query to the end of an input field that is to be sent to a database.

Robert’); DROP TABLE STUDENTS;–

In a name field will produce the following query to a database for a school

AND studentName = 'Robert';
DROP TABLE Students;
--'

This query will append the student’s who’s name is ‘Robert’ but then wil immediately delete the ‘Students’ table from the database; And then Robert’s parents wont find out about that ‘F’ he was getting in Biology. The pair of hyphens at the end of the statement is a way of commenting in sql so that any sql statements that were also appended to this query will be ignored as well as the single quotation mark that was added by the input field.

Error-Based SQL Injection

This form of SQLI relies on detailed error messages from the database in order to learn about the database’s structure. The goal of this observation being to better develop the sql injection. Producing only general purpose error messages prevents this form of injection.

Blind SQL Injection

Blind injection occurs when the application is vulnerable to SQLI but only produces generic error messages. The intent here again is to develop the sql injection via trial and error. This is usually conducted by the hacker sending true or false queries to the database or tell the database to wait for a period of time before returning a response to a query with faulty queries returning sooner than proper ones.

UNION SQL Injection

This form of SQLI utilizes the UNION operator to combine the information being queried with information from other tables.

Out-of-Band SQL Injection

This relatively uncommon attack occurs when an attacker can’t receive a response to their command in the same channel they submitted it. Instead, it relies upon a server’s ability to use another protocol (like HTTP or DNS) to deliver the response to an attacker’s query.

SQL Injection Prevention

  1. Use the principle of least privilege, meaning no user should have more access to resources than is necessary.

  2. Use prepared statements with parameterized queries. This treats all input as as data separated in the application.

  3. Use stored procedures, which are pre-created SQL statements with parameters. This removes the use of dynamic SQL generation.

The differences between prepared statements and stored procedures are that stored procedures are defined and stored within the database, but called from the application where as prepared statements reside in the application layer.