SQL Injection is an attack technique used to attack database-based applications; where the attacker uses SQL language capabilities to add new SQL statements to the appropriate field on the standard application screen. (For example, an attacker could transfer database contents to itself).SQL Injection exploits a vulnerability within the softwares of applications, for example, SQL statements are embedded in the part where the application expects user input information, if the content of the incoming data is not filtered within the application or is filtered incorrectly, the application will appear to run without any errors with the code embedded in it. Although SQL Injection is known as a type of attack mostly used for websites, it can be performed in all applications based on SQL database.
SQL injection attacks allow attackers to log in with the information of one of the users in the system, interfere with existing data, cancel or change some operations, disclose all data in the database, destroy all data in the database, become a system administrator on the database server.
A 2012 study found that a web application receives an average of 4 attacks per month, with retailers receiving twice as many attacks as other industries.
Incorrect filtering of escape characters
This type of SQL occurs when data from the user is not filtered by escape prompts from the user, adding new SQL statements to the application. The inserted SQL statements cause the end user to manipulate the database as desired.
Incorrect type handling
This type of SQLI occurs when the type check of the field entered by the user is not performed properly. When a numeric value is used in an SQL statement, the user's input must also be a numeric value. When this check is not carried out, a security vulnerability occurs.
Blind SQL injection
Blind SQL injection is used when a web application is exposed against a SQLI, but the results are not visible to the attacker. The vulnerable page cannot disclose data, but may display modified data due to the logical expression embedded in the SQL statement.
Conditional Responses
Forces the database to evaluate a logical expression in an ordinary application.
Second order SQL injection
Secondary SQL injection occurs when values containing malicious code are not executed as soon as they are sent, but are retained for a period of time. The application can correctly encode the SQL statement and store it as the current SQL statement. Then, in another part of the application, which is unchecked against SQL injection, the stored SQL statement is executed. To perform this attack, the attacker must have more information about how the sent values are then used. Automatic web application security scanners cannot easily detect this type of SQL injection. Therefore, it should be manually checked that malicious software is in the handy part of the code.
Precautions against attacks
SQL injection is a well-known attack and can be easily prevented with simple measures. In the aftermath of an apparent SQL injection attack on Talktalk in 2015, the BBC stated that the discovery of SQL injection vulnerabilities by such a large company surprised security experts.
Parameterized expressions
Most application development platforms use parametric expressions as parameters instead of data from the user. (Also called placeholder or bind variable.) A placeholder stores only the given type of data. So SQL injection is treated only as an interesting (and possibly invalid) parameter value.
In most cases, the SQL statement is specific, and each parameter is stored as a scalar, not as a table. Data from the user is assigned to this parameter.
Enforcement at the coding level
Using object-relational mapping libraries eliminates the need to write SQL code. The active ORM library generates parametric SQL statements from object-oriented code.
Escaping
In SQL, it is necessary to avoid characters that have special meanings. SQL DBMS explains which characters have special meaning and provides a comprehensive blacklist. For example, the single quotation mark('
) within each parameter is replaced with two single quotation marks to create a valid SQL string literal. (''
) mysqli_real_escape_string();
It is a common method to avoid parameters using the function.
This function precedes the following characters with backslash (). x00
, n
, r, , '
, "
x1a
. It is used to ensure data security before sending a query to MySQL.
PHP has many functions for many types of databases, for example the pg_escape_string() function for PostgreSQL. The addslashes (string $str) function used to insert slash is used for escaping characters. Returns a string with backslash () preceded by the characters to be queried in the database. These characters are single quotation marks ('), double quotation marks ("), backslash (), and NUL (NULL bytes).
Creating a transparent layer to ensure the safety of the input can reduce the tendency to error, but does not eliminate it completely.
Pattern control
Integer, float, boolean, string parameters can be checked whether their values are valid for the specified type. Strings may also need to be checked against other patterns. (date, UUID, alphanumeric only, etc.)
Database permissions
Restricting login permissions granted by web applications to the database can help reduce the effectiveness of SQL injection attacks that exploit vulnerabilities in web applications.
For example, in Microsoft SQL Server, a database login can restrict access to some system tables, limiting malicious software that attempts to inject JavaScript into all text columns in the database.
deny select on sys.sysobjects to webdatabaselogon; deny select on sys.objects to webdatabaselogon; deny select on sys.tables to webdatabaselogon; deny select on sys.views to webdatabaselogon; deny select on sys.packages to webdatabaselogon;Bibliography