Tag Archives: sql

SQL Injection

Posted on by

0

I haven’t posted in so long! 🙂

So today, we will have a brief introduction of SQL injections (SQLi fir short). For those of you who are unaware of such things, this can be used to hack/deface websites and is commonly used to extract privileged data from websites’ database.

So, what are sql injections?

First up, you should know what sql is. If you don’t, go here and find out a bit about it. Now, sql is used for querying data from a database. Say, we have a table called users. A typical sql statement would be:

SELECT username, passwd, email FROM users;

This query is typed out in a terminal running the appropriate query program. Now, on to injections. Well you see, most of the websites you encounter on the internet have their backend coded in PHP. About the same percentage of the websites have been coded in ASP.NET . Both of them make queries to a database to determine various things – from usernames and passwords to searching for articles written on a news website. The important part is this – both of them have similar procedure for making queries. They first construct a query string that resembles something like you saw above and then pass that string to inbuilt functions that actually pass that query on to the db. Now, I would write some PHP code below as an example:

$usr = $_GET['username'];
$query = "SELECT username, passwd, email FROM users WHERE username='".$usr."';";

The code is simple enough to understand. The first line stores the username in a variable called ‘usr’ can the second line constructs the query. Now the code will call the appropriate functions that make the query to the database.
Now for the loophole. You see, the $usr variable just gets inserted in the query string. So, if suppose $usr==”bk201″ then the query string would become:

SELECT username, passwd, email FROM users WHERE username='bk201';

But on the other hand, if we were to suppose that $usr=="bk201'; INSERT INTO users values( 'malicious_person', '123abc', 'hack@crack.com' );--"
This would only take the hacker the knowledge of the table name and number of columns in the table – both of which can be found out using a little advanced sql injection. This query would add his account to the website’s db and now the person with malicious intent can access what he shouldn’t be able to.
Better still, he can use this:
$usr==”bk201′; DROP TABLE users;–”
These the latter query would result in $query to be equal to:

SELECT username, passwd, email FROM users WHERE username='bk201'; DROP TABLE users;

As you can see, this can be disaster for the admin. This query would delete the table containing all the information of the clients. For a user driven website, this might mean shutting down of the website itself.
Obviously, things aren’t exactly so easy otherwise the internet would be in chaos. Only inexperienced webmasters make their site so that someone can perform sql injections in them. There are several ways to avoid this trouble, and, we shall discuss them somewhere down the line. This will be it for now. Have your opinions about the matter – leave a comment. Also, please like and share ~_~