Geeks With Blogs
Sharvan Dhaka blog

SQL injection is a technique used to take advantage of non-validated
input vulnerabilities to pass SQL commands through a Web application for execution
by a backend database. Attackers take advantage of the fact that programmers often
chain together SQL commands with user-provided parameters, and can therefore embed
SQL commands inside these parameters. The result is that the attacker can execute
arbitrary SQL queries and/or commands on the backend database server through the
Web application.

Detailed description

Databases are fundamental components of Web applications. Databases enable Web applications
to store data, preferences and content elements. Using SQL, Web applications interact
with databases to dynamically build customized data views for each user. A common
example is a Web application that manages products. In one of the Web application's
dynamic pages (such as ASP), users are able to enter a product identifier and view
the product name and description. The request sent to the database to retrieve the
product's name and description is implemented by the following SQL statement.

SELECT ProductName, ProductDescription FROM Products WHERE ProductNumber = ProductNumber

Typically, Web applications use string queries, where the string contains both the
query itself and its parameters. The string is built using server-side script languages
such as ASP, JSP and CGI, and is then sent to the database server as a single SQL
statement. The following example demonstrates an ASP code that generates a SQL query.

sql_query= "SELECT ProductName, ProductDescription FROM Products WHERE ProductNumber
" & Request.QueryString("ProductID")

The call Request.QueryString("ProductID") extracts the value of the Web form variable
ProductID so that it can be appended as the SELECT condition.

When a user enters the following URL:

The corresponding SQL query is executed:

SELECT ProductName, ProductDescription FROM Products WHERE ProductNumber = 123

An attacker may abuse the fact that the ProductID parameter is passed to the database
without sufficient validation. The attacker can manipulate the parameter's value
to build malicious SQL statements. For example, setting the value "123 OR 1=1" to
the ProductID variable results in the following URL: or 1=1

The corresponding SQL Statement is:

SELECT ProductName, Product Description From Products WHERE ProductNumber = 123
OR 1=1

This condition would always be true and all ProductName and ProductDescription pairs
are returned. The attacker can manipulate the application even further by inserting
malicious commands. For example, an attacker can request the following URL:;DROP TABLE Products

In this example the semicolon is used to pass the database server multiple statements
in a single execution. The second statement is "DROP TABLE Products" which causes
SQL Server to delete the entire Products table.

An attacker may use SQL injection to retrieve data from other tables as well. This
can be done using the SQL UNION SELECT statement. The UNION SELECT statement allows
the chaining of two separate SQL SELECT queries that have nothing in common. For
example, consider the following SQL query:

SELECT ProductName, ProductDescription FROM Products WHERE ProductID = '123' UNION
SELECT Username, Password FROM Users;

The result of this query is a table with two columns, containing the results of
the first and second queries, respectively. An attacker may use this type of SQL
injection by requesting the following URL: UNION SELECT user-name, password FROM USERS

Posted on Sunday, October 15, 2006 4:18 PM MS Sql | Back to top

Comments on this post: SQL Injection

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Sharvan Dhaka | Powered by: