SQL Injection
You’re the IT guy at a big company, we’ll call it Foadco. You have just finished making a new polished website, but it’s late, so you just slap together a quick and dirty login page so that your users (who you personally look down on for their technological ignorance) may authenticate to the network from home and then obtain their credentials for logging into the company’s virtual private network. In the process of making this website, you forget one very critical thing; you forget to have your queries to the database validate their input.
Meet Charles, Charles is a three year veteran of Foadco, he is about to quit because he is unhappy with the way the company treats their software developers. He is browsing the website and discovers this new web page up. Since he is about to quit he figures he can have some fun with this and he makes a quick mention before e-mailing his boss to tell him he’s not coming back. When Charles gets home, he opens up his web browser and using a proxy, navigates to the company’s web page he was looking at earlier. Now, Charles is a gifted computer programmer, he takes a few minutes to read over the PHP code and discovers this major flaw. He examines the remainder of the code looking for more mistakes but settles on this one. He enters “root” as the user name and “a’ or ‘t’='t”. The database returns a valid login and he is granted access. He downloads the files and credentials for logging in and a week later, from a coffee shop, he steals all the financial and software data from the company before disappearing off.
How could Foadco have prevented this? One mistake can cost a company billions in not only lost revenue, but blackmail money, or outright theft. What Charles did was creative and well planned. But what exactly happened? Well, SQL injection exploits vulnerabilities at the database level, if input isn’t formatted exactly as it should be, the fields could be taken out of context. Consider this statement:
Database = “SELECT * FROM users WHERE name = ‘” + usersDB + “‘;”
It calls a database to retrieve records of a username from a table; however, the username is a variable and is therefore vulnerable to this attack. When the statement a’ or ‘t’='t is entered, it makes the above statement into:
SELECT * FROM users WHERE name = ‘a’ OR ‘t’='t’; See the difference?
When the a’ is entered, it closes off the SQL statement, making OR ‘t’='t’; a valid query, and t will ALWAYS equal t, so the database returns as if the correct password was entered. If you want to stop this attack, it’s simple, validate your input!
If you’re a programmer, I hope this has helped alert you to this amazing threat. It’s actually more common than you might think, so watch out!
