SQL Injection- Not a Cup of Cake

What is SQL Injection:

I have gone through many SQL Injectioimagesn tutorials before writing this post. One thing was common at every place, the queries coming from the readers. Many people don’t know what actually SQL Injection is. They think that they can easily enter into the database and make some changes, or they can simply inject some query and will have the username and password of the administrator. Well !!! Till some extent the concept is true but it is not that much easy.

So first we need to learn what is SQL Injection or better we should know what is SQL… SQL, the Structured Query Language, is the standard to access databases. Most web applications today use an SQL database to store persistent data for the application. It is likely that any web application you are testing uses an SQL database in the backend. Like many languages, SQL syntax is a mixture of database instructions and user data. If a developer is not careful, the user data could be interpreted as instructions, and a remote user could perform arbitrary instructions on the database. So, whenever we want any data to be accessed from any application our request goes in the form of SQL queries. Suppose for example, in any online library if we want to access any particular book then our request will go in form of following language,

So, in the above case the application takes the bookname from the user and searches it in the TABLE named my_library and if after matching returns that particular page. So it means if that particular name doesn’t match it should not return anything, but in actual scenario there is nothing stopping an attacker from injecting SQL statements in the bookname field to change the SQL query. Let’s re-examine the SQL query string.

The code expects the bookname string to be data. However, an attacker can input any characters he or she pleases. Imagine if an attacker entered the bookname ’OR 1=1 —  then the query string would look like this:

Note:- The double dash (–) tells the SQL parser that everything to the right is a comment.

The SELECT statement now acts much differently, because it will now return booktitle where the bookname is a zero length string (‘ ‘) or where 1=1; but 1=1 is always true! So this statement will return all the booktitle from my_library. In this case, the attacker placed SQL instructions (‘OR 1=1 –) in the bookname field instead of data.

Choosing Appropriate SQL Injection Code:

To inject SQL instructions successfully, the attacker must turn the developer’s existing SQL instructions into a valid SQL statement. Generally query like these work.

  • ‘ OR 1=1 —
  • ‘) OR 1=1 —

Also, many web applications provide extensive error reporting and debugging information. For example, attempting ‘ OR 1=1 — blindly in a web application often gives you an educational error message like this:

The particular error message shows the whole SQL statement. In this case, it appears that the SQL database was expecting an integer, not a string, so the injection string OR 1=1 –, without the proceeding apostrophe would work.
However, the attacker could inject other queries. For example, setting the username to this,

would change this query to this,

which is equivalent to this:

This statement will perform the syntactically correct SELECT statement and erase the user_table with the SQL DROP command.

There are many kinds of SQL Injection possible i.e. around 12 to 15. Some important types are: