Dismiss Notice
Welcome to Our Community
Wanting to join the rest of our members? Feel free to sign up today.

SQL injection vulnerabilities

Discussion in 'General Webmaster Helpdesk' started by gkd_uk, Jul 26, 2007.

  1. gkd_uk

    gkd_uk Moderator Moderator Webmaster


    I have been reading about SQL injection vulnerabilities. How can one stay protected from these kinds of attacks and what is the worst a hacker can do if he applies one of these attacks?

    I also heard that hosting companie are not responsible for these kinds of attacks, is this true?

  2. gkd_uk

    gkd_uk Moderator Moderator Webmaster

    SQL Injection: What is it?

    SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.

    In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.

    SQL Injection: An In-depth Explanation

    Web applications allow legitimate website visitors to submit and retrieve data to/from a database over the Internet using their preferred web browser. Databases are central to modern websites – they store data needed for websites to deliver specific content to visitors and render information to customers, suppliers, employees and a host of stakeholders. User credentials, financial and payment information, company statistics may all be resident within a database and accessed by legitimate users through off-the-shelf and custom web applications. Web applications and databases allow you to regularly run your business.

    SQL Injection is the hacking technique which attempts to pass SQL commands (statements) through a web application for execution by the backend database. If not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view information from the database and/or even wipe it out.

    Such features as login pages, support and product request forms, feedback forms, search pages, shopping carts and the general delivery of dynamic content, shape modern websites and provide businesses with the means necessary to communicate with prospects and customers. These website features are all examples of web applications which may be either purchase d off-the-shelf or developed as bespoke programs.

    These website features are all susceptible to SQL Injection attacks which arise because the fields available for user input allow SQL statements to pass through and query the database directly.

    SQL Injection: A Simple Example

    Take a simple login page where a legitimate user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum.

    When the legitimate user submits his details, an SQL query is generated from these details and submitted to the database for verification. If valid, the user is allowed access. In other words, the web application that controls the login page will communicate with the database through a series of planned commands so as to verify the username and password combination. On verification, the legitimate user is granted appropriate access.

    Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitised (i.e., made invulnerable) and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to the database.

    The technologies vulnerable to this attack are dynamic script languages including ASP, ASP.NET, PHP, JSP, and CGI. All an attacker needs to perform an SQL Injection hacking attack is a web browser, knowledge of SQL queries and creative guess work to important table and field names. The sheer simplicity of SQL Injection has fuelled its popularity.

    Read more
  3. gkd_uk

    gkd_uk Moderator Moderator Webmaster

    Just to let you know that hosting companies are not repsonsible for securing SQL Injections. Get in touch with the Script developer who may be able to provide you with a fix if required.
  4. temi

    temi Facilitator Webmaster

    Yes, its really not the hosting companies fault, its the application developers

Featured Resources (View All)

Share This Page