Ravi Khanal

SQL Injection is an attack technique used to exploit web sites by altering backend SQL Statements through manipulating application input. It is a technique that takes advantage of non-validated user input data to inject SQL Statements dynamically into the existing ones for execution, and hence, poses a severe security threat to the supposedly secure systems. If attacker can get through some of the system stored procedures and some database server functions, then not only they can steal data from the databases, but also modify and delete it.

Some Examples of SQL Injection attack:

Example 1:

If there is a form which gets value from a Form.

If the form looks like:

Enter Product ID: 124 OR 2=2

Then the corresponding SQL Statement for that will be
select * from products where ProductId = 124 OR 2=2
This statement will always return a Value since 2=2 is always true.

Example 2:

If there is a login validation form and a user inputs like this then,
Login: ‘OR”=’
Password: ‘OR”=’

then the corresponding SQL statement will be

Select IsAuthorized FROM Users where Login = ' ' OR"=" AND Password = ' ' OR"="

Prevention:

• Prevent unauthorized access to the database and limit the permissions that are granted to the database user account that the application uses.
• Validate user input properly before using it, stripping off the potential malicious characters.
• Always use parameterized SQL queries and stored procedures rather than building the SQL statements dynamically.
• Avoid displaying the actual database errors or messages to the end users.