From Syhunt Web Application Security Docs

Vulnerabilities: SQL Injection

SQL Injection

Detected by Syhunt: Yes (locally, remotely)
Type: Injection Flaw
Also Known As: SQLi
CWE: 89

Many web sites contain flaws that may allow attackers to carry out SQL injection attacks. The issue happens when a script fails to properly sanitize user-supplied input to parameters. This may allow attackers to inject or manipulate SQL queries in the back-end database.

Detailed Information

Examples of vulnerable code

Below you can find very basic examples of SQL injection vulnerabilities.

PHP

 
<?
$username = $_GET['username'];
$result=mysql_query('SELECT * FROM users WHERE username="'.$username.'"');
?>
 

Syhunt scan results for this example code:

Found: 1 vulnerability
In /sqli_basic.php (source code, locally), affecting parameter "username", on lines 2,3:
  Possible SQL Injection Vulnerability

ASP

 
<%@Page Language="C#"%>
<%@ Import NameSpace="System.Data" %>
<%@ Import NameSpace="System.Data.SqlClient" %>
<%
// Dynamic SQL
SqlDataAdapter myCommand = new SqlDataAdapter("SELECT au_lname, au_fname FROM authors WHERE au_id = '" + Request.QueryString["SSN"] + "'", myConnection);
// Stored Procedure
SqlDataAdapter myCommand = new SqlDataAdapter("LoginStoredProcedure '" + Request.QueryString["SSN"] + "'", myConnection);
%>
 

Syhunt scan results for this example code:

Found: 1 vulnerability
In /sqli_ms.aspx (source code, locally), on lines 6,8:
  Possible SQL Injection Vulnerability

Cheat Sheets

Retrieved from http://www.syhunt.com/docwiki/index.php?n=Vulnerabilities.SQLInjection
Page last modified on August 20, 2013, at 05:03 PM