SQL Injection Attack Primer

By Deane Barker on January 17, 2005

SQL Injection Attacks by Example: This is a fantastic, step-by-step example of a SQL injection attack. If you’ve heard of these, but not quite understood what they are, then read this.

“SQL Injection” is subset of the an unverified/unsanitized user input vulnerability (“buffer overflows” are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it’s straightforward to create some real surprises.

In a nutshell, say you’re running SQL Server, and you form your SQL query like this:

SELECT * FROM passwords WHERE username = '[unsanitized Web form input]'

If someone enters this on your Web form:

whatever' OR 1=1 --

You’re now running this SQL:

SELECT * FROM passwords WHERE username = 'whatever' OR 1=1 --'

With SQL Server, “—” comments out the end of the line, so the server doesn’t even pick up the last apostrophe. Consequenty, this query will return all rows of that table.

Yes this may make my app break, you say, but how can it compromise security? Read the article — they use this exact technique to break into an intranet. It’s a great read for SQL geeks.

Via Joseph Scott.



  1. OK, seriously… I may be biased towards PHP because I’ve been using the language for three consecutive years now, but REALLY… has NO ONE heard of magic quotes?

    All anyone has to do to get around this is to make sure that quotes are escaped, either with slashes in the case of MySQL, an additional single quote (I think) in SQL Server, or whatever mechanism the SQL server of choice provides for escaping quotes.

    I’m sorry, but I’ve seen this point beat to death over the course of at least a year. It’s a really boneheaded mistake that a lot of inexperienced programmers can make and it’s one that’s not that difficult to fix on a case-by-case basis. Programmers who might do this just need to get into the mindset of not trusting any data that comes from the user.

    In short, the horse has had far too many funerals by this point. Quit kicking it, people.

Comments are closed. If you have something you really want to say, tweet @gadgetopia.