Rietta: Web Apps Where Security Matters
You are reading The Rietta Blog, a publication about the web since 2005.

Part I: Introduction to SQL Injection

This is Part I of a serialization of a paper I have written on the SQL Injection defenses. As portions of the paper are finished I will post them on this blog. Topics will include a discussion on access control, security models, classification of attacks, and intrusion detection techniques.

SQL injection is a technique often used to exploit database systems through vulnerable web applications. The techniques allows the attacker to not only steal the entire contents of relational databases but also, in many cases, to make arbitrary changes to the both the database schema and contents. Relational database server products have no mechanism to deal with SQL inject as the problem is rooted not in the database server itself but in vulnerable applications with excessive privileges granted to users. In most cases a victim of a SQL injection attack does not even know that information is compromised until long after the attack has passed, perhaps through an angry e-mail from a customer who found his credit card number was stolen or from the attacker himself seeking some form of blackmail, or the victim might never realize that their database system has been compromised. While the details of SQL injection attacks vary from implementation to implementation all relational database systems on all platforms, both commercial and open source, are potentially susceptible to attack.

Most SQL injection attacks are executed through an application that takes user-supplied input for query parameters. The attacker supplies carefully a crafted string to form a new query with results very different than what the application developer intended. For example, consider a script on a website that takes a search parameter to return selected results from a database. A very simple attack may be possible by simply providing something like “1 OR 1=1” in the text field which causes the SQL server to return all records from a particular table. An attacker can often gain access to anything available with the script’s privileges, which in many cases is full access to one or more databases.

While SQL injection attacks could be be executed against any application, web applications are the most commonly vulnerable since the attacker can easily explore a site for vulnerabilities without being caught or having to work through sophisticated network intrusion techniques as most prospective targets leave their website applications wide open. Firewalls and traditional network intrusion detection systems are useless against SQL injection since it is an application exploit that in most cases is indistinguishable from expected use. Some signature-based detection systems have been developed for web servers to protect vulnerable scripts from malicious input. However, these signature-based systems are inherently susceptible to evasion methods that take advantage of the expressiveness of the SQL language or alternate character encodings. Remarkably, writing scripts that are not vulnerable to SQL injection is as simple as passing all user-provided text through a string escaping function prior to use as a parameter in a SQL statement, but as past experience has shown, vulnerable scripts are everywhere to be found.

SQL injection affects every database on every platform. Attacks can be used to gain information disclosure, to bypass authentication mechanisms, to modify the database, and to, in some cases, execute arbitrary code on the database server itself!

  1. SQL Injection: Are Your Web Applications Vulnerable?” SPI Dynamics.
  2. Blind SQL Injection: Are Your Web Applications Vulnerable?” SPI Dynamics.
  3. Blindfolded SQL Injection” by Ofer Maor and Amichai Shulman. Imperva.
  4. SQL Injection Signatures Evasion: An overview of why SQL Injection signature protection is just not enough.” Imperva.

About Frank Rietta

Frank Rietta's photo

Frank Rietta is a web application security consultant, software developer, author, and speaker. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He teaches about security topics and is a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.