Skip to content

SQL injection

  • injecting code into a dynamically constructed SQL statement, causing that code to execute

  • strategies for SQL injections:

    • Handy expression to make WHERE clause always true: 1=1

    • SQL comments single line: # or -- and multi line: /* ... */

    • use semicolon ; to end one statement and follow by another

      • note: depending on how the query is constructed on the server, multi-statement queries maybe disabled

  • When attacking from command line, encode special characters:

    char encoded
    (space) %20
    # %23
    ' %27

  • Select statements allow reading information

    • to change data need update, insert or delete

    • look for fields that enable making changes, e.g. change password

Countermeasures

  • main cause for this vulnerability is mixing data and code → 3 main strategies to protect against it:

    1. removing code by filtering
    2. turning code into data by encoding
    3. clearly separating code and data

  • Filter and encode inputs using built-in and/or vetted tools

    • filtering and encoding does not address the fundamental cause of SQL injections of mixing data and code

    • best strategy is to not mix data and code

  • To separate code and data, use SQL feature of prepared statements (or comparable) that prepares statement for future execution by parsing and compiling a template, optimizing it, and storing the result; no untrusted data is stored in this template

  • Prepared statement work by separating sending code via code channel, and untrusted data via data channel → there is a clear boundary between the two and data is never executed.