SQL Injection

Many web sites contain flaws that may allow attackers to carry out SQL injection attacks. The issue happens when a script fails to properly sanitize user-supplied input to parameters. This may allow attackers to inject or manipulate SQL queries in the back-end database.

Resources

• 8 best practices to prevent SQL Injection Attacks - TablePlus
• SQL Injection Attack explained, with example - TablePlus
• SQL Injection - W3Schools
• SQL Injection Prevention Cheat Sheet - OWASP
• SQL Injection - OWASP
• SQL Injection - PHP.Net
• SQL Injection - WASC
• How to prevent SQL injection in PHP - StackOverflow

Examples of vulnerable code

Below you can find very basic examples of SQL injection vulnerabilities.

PHP

 
<?
$username = $_GET['username'];
$result=mysql_query('SELECT * FROM users WHERE username="'.$username.'"');
?>
 

Syhunt scan results for this example code:

Found: 1 vulnerability
In /sqli_basic.php (source code, locally), affecting parameter "username", on lines 2,3:
  Possible SQL Injection Vulnerability

ASP

 
<%@Page Language="C#"%>
<%@ Import NameSpace="System.Data" %>
<%@ Import NameSpace="System.Data.SqlClient" %>
<%
// Dynamic SQL
SqlDataAdapter myCommand = new SqlDataAdapter("SELECT au_lname, au_fname FROM authors WHERE au_id = '" + Request.QueryString["SSN"] + "'", myConnection);
// Stored Procedure
SqlDataAdapter myCommand = new SqlDataAdapter("LoginStoredProcedure '" + Request.QueryString["SSN"] + "'", myConnection);
%>
 

Syhunt scan results for this example code:

Found: 1 vulnerability
In /sqli_ms.aspx (source code, locally), on lines 6,8:
  Possible SQL Injection Vulnerability

Cheat Sheets

• pentestmonkey's Cheat Sheets
• RSnake's SQL Injection Cheat Sheet
• XSS, SQL Injection and Fuzzing Barcode Cheat Sheet
• The SQL Injection Knowledge Base