SQL Injection
Detected by Syhunt: Yes (Dynamic, Code)
Type: Injection Flaw
Also Known As: SQLi
CWE: 89
Many web sites contain flaws that may allow attackers to carry out SQL injection attacks. The issue happens when a script fails to properly sanitize user-supplied input to parameters. This may allow attackers to inject or manipulate SQL queries in the back-end database.
Resources
- 8 best practices to prevent SQL Injection Attacks - TablePlus
- SQL Injection Attack explained, with example - TablePlus
- SQL Injection - W3Schools
- SQL Injection Prevention Cheat Sheet - OWASP
- SQL Injection - OWASP
- SQL Injection - PHP.Net
- SQL Injection - WASC
- How to prevent SQL injection in PHP - StackOverflow
Examples of vulnerable code
Below you can find very basic examples of SQL injection vulnerabilities.
PHP
<? $username = $_GET['username']; $result=mysql_query('SELECT * FROM users WHERE username="'.$username.'"'); ?>
Syhunt scan results for this example code:
Found: 1 vulnerability In /sqli_basic.php (source code, locally), affecting parameter "username", on lines 2,3: Possible SQL Injection Vulnerability
ASP
<%@Page Language="C#"%> <%@ Import NameSpace="System.Data" %> <%@ Import NameSpace="System.Data.SqlClient" %> <% // Dynamic SQL SqlDataAdapter myCommand = new SqlDataAdapter("SELECT au_lname, au_fname FROM authors WHERE au_id = '" + Request.QueryString["SSN"] + "'", myConnection); // Stored Procedure SqlDataAdapter myCommand = new SqlDataAdapter("LoginStoredProcedure '" + Request.QueryString["SSN"] + "'", myConnection); %>
Syhunt scan results for this example code:
Found: 1 vulnerability In /sqli_ms.aspx (source code, locally), on lines 6,8: Possible SQL Injection Vulnerability
Cheat Sheets
Page last modified on December 27, 2018, at 01:47 PM