SQL Injection Attacks by Example: This is a fantastic, step-by-step example of a SQL injection attack. If you’ve heard of these, but not quite understood what they are, then read this.
“SQL Injection” is subset of the an unverified/unsanitized user input vulnerability (“buffer overflows” are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it’s straightforward to create some real surprises.
In a nutshell, say you’re running SQL Server, and you form your SQL query like this:
SELECT * FROM passwords WHERE username = '[unsanitized Web form input]'
If someone enters this on your Web form:
whatever' OR 1=1 --
You’re now running this SQL:
SELECT * FROM passwords WHERE username = 'whatever' OR 1=1 --'
With SQL Server, “—” comments out the end of the line, so the server doesn’t even pick up the last apostrophe. Consequenty, this query will return all rows of that table.
Yes this may make my app break, you say, but how can it compromise security? Read the article — they use this exact technique to break into an intranet. It’s a great read for SQL geeks.
Via Joseph Scott.