SQL Injection: Techniques, Prevention, and Demonstration, Study notes of Computer Science

An in-depth analysis of sql injection, a common web application security vulnerability. It covers the background of sql injection, its techniques and examples, prevention methods, and a demonstration. The authors also discuss the dangerous effects of sql injection and ways to prevent it through input validation, permissions and access rights, variable placeholders, and stored procedures.

Typology: Study notes

Pre 2010

Uploaded on 08/05/2009

koofers-user-5q6
koofers-user-5q6 🇺🇸

10 documents

1 / 23

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
SQL Injection
SQL Injection
Database Security
Database Security
Matt Collins, Tony Brown, Seth Levy, Jason Wallace
Matt Collins, Tony Brown, Seth Levy, Jason Wallace
April 25, 2005
April 25, 2005
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17

Partial preview of the text

Download SQL Injection: Techniques, Prevention, and Demonstration and more Study notes Computer Science in PDF only on Docsity!

SQL InjectionSQL Injection

Database Security Database Security

Matt Collins, Tony Brown, Seth Levy, Jason WallaceMatt Collins, Tony Brown, Seth Levy, Jason Wallace

April 25, 2005 April 25, 2005

OutlineOutline Background of SQL Injection Background of SQL Injection Techniques and Examples Techniques and Examples Preventing SQL Injection Preventing SQL Injection Demo Demo

Databases: Where are they now?Databases: Where are they now? Desktop Apps X Web Apps X Mainframes X Fat Server & Fat Client Fat Server Fat Client

Why is SQL a standard?Why is SQL a standard? Relational Database Platform Independence Loose Semantics Runtime Interpretation

SQL Injection Techniques

Example: Database SchemaExample: Database Schema Table Users Table Users

  • Has columns “username” and “password”Has columns “username” and “password”
  • Accessed when users log inAccessed when users log in Table Customers Table Customers
  • Has column “phone”Has column “phone”
  • Users can look up other customer phoneUsers can look up other customer phone numbers by name numbers by name Application does no input validation Application does no input validation

Modifying RecordsModifying Records Application has password changing page Application has password changing page SQL: update users set password = SQL: update users set password = ‘{newpassword}’ where username = ‘{newpassword}’ where username = ‘{username}’ ‘{username}’ Input: newpassword’ where username Input: newpassword’ where username like ‘%admin%’ -- like ‘%admin%’ --

MS SQL ServerMS SQL Server Setup SQL Server with default settings Setup SQL Server with default settings

  • Default system admin account “sa” enabledDefault system admin account “sa” enabled
  • No password!!!No password!!! Supports multiple queries Supports multiple queries “ “ Extended stored procedures”: C/C++Extended stored procedures”: C/C++ DLL files DLL files
  • Read/write external filesRead/write external files
  • Access command lineAccess command line

Preventing SQL Injection Preventing SQL Injection

Preventing SQL InjectionPreventing SQL Injection Input Validation Input Validation Input Checking Functions Input Checking Functions Access Rights Access Rights User Permissions User Permissions Variable Placeholders Variable Placeholders Stored Procedures Stored Procedures

Input Checking FunctionsInput Checking Functions Built in character rejection Built in character rejection $sql $sql == “SELECT * FROM Users WHERE ID = ‘”“SELECT * FROM Users WHERE ID = ‘” .. $_GET[‘id’]. “’”;$_GET[‘id’]. “’”; $sql $sql == “SELECT * FROM Users WHERE ID =” .“SELECT * FROM Users WHERE ID =”. mysql_real_escape_string($_GET[‘id’]);mysql_real_escape_string($_GET[‘id’]); $result $result == mysql_query($sql);mysql_query($sql);

Access RightsAccess Rights Web User Web User vs. vs. System Administrator – ‘sa’ System Administrator – ‘sa’

Variable PlaceholdersVariable Placeholders Defense from String Concatenation Defense from String Concatenation Enforcing database data types Enforcing database data types

Stored ProceduresStored Procedures Use error checking variables Use error checking variables Buffer direct database access Buffer direct database access