SQL Injection

Many web sites contain flaws that may allow attackers to carry out SQL injection attacks. The issue happens when a script fails to properly sanitize user-supplied input to parameters. This may allow attackers to inject or manipulate SQL queries in the back-end database.

Detailed Information

• Protecting Against SQL Injection Attacks - DOE-CIRC
• Attack Methodology Analysis: SQL Injection Attacks - DOE
• Minimize the Effectiveness of SQL Injection Attacks - NSA
• SQL injection – How to avoid it
• SQL Injection - OWASP
• SQL Injection - PHP.Net
• SQL Injection - WASC
• http://en.wikipedia.org/wiki/SQL_injection

Examples of vulnerable code

Below you can find very basic examples of SQL injection vulnerabilities.

PHP

 
<?
$username = $_GET['username'];
$result=mysql_query('SELECT * FROM users WHERE username="'.$username.'"');
?>
 

Syhunt scan results for this example code:

Found: 1 vulnerability
In /sqli_basic.php (source code, locally), affecting parameter "username", on lines 2,3:
  Possible SQL Injection Vulnerability

ASP

 
<%@Page Language="C#"%>
<%@ Import NameSpace="System.Data" %>
<%@ Import NameSpace="System.Data.SqlClient" %>
<%
// Dynamic SQL
SqlDataAdapter myCommand = new SqlDataAdapter("SELECT au_lname, au_fname FROM authors WHERE au_id = '" + Request.QueryString["SSN"] + "'", myConnection);
// Stored Procedure
SqlDataAdapter myCommand = new SqlDataAdapter("LoginStoredProcedure '" + Request.QueryString["SSN"] + "'", myConnection);
%>
 

Syhunt scan results for this example code:

Found: 1 vulnerability
In /sqli_ms.aspx (source code, locally), on lines 6,8:
  Possible SQL Injection Vulnerability

Cheat Sheets

• pentestmonkey's Cheat Sheets
• RSnake's SQL Injection Cheat Sheet
• XSS, SQL Injection and Fuzzing Barcode Cheat Sheet
• The SQL Injection Knowledge Base