SQL Injection

SQL injection attacks are attacks against websites that rely on relational databases.

In this type of site, parameters are passed to the database in the form of an SQL query. As such, if the designer does not verify the parameters passed in the SQL query, a hacker can modify the query in order to access the entire database and even to modify its content.

Some characters make it possible to string together several SQL queries or to ignore the rest of the query. By inserting this type of character in the query, a hacker can potentially execute the query of his choice.

Given the following query, waiting for a user name as a parameter:

SELECT * FROM users WHERE name="$name";

A hacker simply needs to enter a name such as "toto" OR 1=1 OR name ="titi" for the query to become as follows:

SELECT * FROM users WHERE name="toto" OR 1=1 OR name ="titi";

With the above query, the WHERE clause is always performed, which means it will return records that correspond to all users.

Stored procedures

Moreover, some database management systems such as Microsoft SQL Server have stored procedures that make it possible to launch administration commands. These stored procedures are potentially dangerous in that they can make it possible for a malicious user to execute system commands that may lead to a possible intrusion.

Countermeasures

A number of rules can help you protect yourself against SQL injection attacks:

• Verify the format of input data and particularly the presence of special characters;
• Do not display explicit error messages displaying the query or a part of the SQL query;
• Delete unused user accounts, and particularly default accounts;
• Avoid accounts without passwords;
• Keep the privileges of used accounts to a minimum;
• Delete stored procedures.