Home > Technology > SQL Injection Attacks

SQL Injection Attacks


Our dependance with the web has rapidly increased, now internet has took the world by storm. Most of us use internet for e-banking, online marketing, paying bills and making reservations. We have to ask ourselves how much safe and reliable the webapplications are?. Studies have found that many webapplications’ security is compromised by the sophisticated attacks One of such kinds is “The SQL Injection”. In this attack attacker injects his code in to the web application thereby compromising the security, he can leak very confidential information such as Credit card numbers and even can able to destroy all the data in the database too.

The SQL Injection attack is possible because the given user input is not validated before it is fed to the database SQL engine. A part of the user input is written by the attacker such that the data is totally aired to the attacker. If we go in detail, the main cause of concern of this attack is owing to having been totally stuck up to the management of data using databases(Databases are the best way of organising and storing the data).

One of the counter measure for this kind of attack is that using techniques which will prevent Invalid and destructive User Inputs. Here is an example how is this done.

Let there is are UserName: and Password: fiels in a webspage. When user enters username and password the developer would have written the SQL query to evealuate it Like

1) ResultsSet rs=rs.executeQuery(“Select username, password from User”);

2) if(rs.getString(1)==username&&rs.getString(2)==password)

{

//

}

After this is over assume that there is another textfield to search within the website. At that time the attacker gives the query in this form.

;’ Malicious Qurery ‘;

Select plan from Web where search=”;’Malicious Qurey’;
The first ;(semicolon marks the end of the internal query as shown in the above statement) and the second query executes happily harming the whole database totally breaching the security.

The Malicious Query could be “drop table User” ( Or anything)

One kind of couter measures(or mitigation technique) we have to take against SQL Injection is using PreparedStatements in java while coding for the webapplications. In PreparedStatements it takes whole user input as only text “String” No matter what it is.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: