A SQL injection attack consists of insertion or “injection” of either a partial or complete SQL query via the data input or transmitted from the client (browser) to the web application. A successful SQL injection attack can read sensitive data from the database, modify database data (insert/update/delete), execute administration operations on the database (such as shutdown the DBMS, etc).
Different SQL Injection attacks
SQL Injection threats include
- An unauthorized user could login to the application as a valid user
- User could view other user’s private information, profile and transaction details
- Can delete data from table or delete table itself
- Can update sensitive data
- User could take control over the database and can execute queries over database
- User can delete whole database
- User can change the database access permissions
Data from each field from the user input/website form will goes to the database query. So, instead of valid data if user enters any malicious data then it may be executed in the database and results harmful operations.
Below are some of the possible ways to perform SQL Injection
- Making query always true: User can use simple input like ‘ OR 1=1; – to make condition always true. Let’s write a query to get the user details by User name as input parameter UserName = ‘Jagadeesh’The above query can be injected by giving the UserName as ‘ OR 1=1;–. See the below query
- Query can drop existing table: User input value can drop the existing table in the database if user give input as ‘ or 1=1; drop table Student;
How to Identify SQL Injection attacks
- If user enters ‘ or ‘’ sign in the text input and system returns result like ‘Internal Server Error’ or any other inappropriate result then we can almost sure that SQL Injection exists
- Sometimes user may see blank screen and there won’t be any response for the request
Prevention steps to avoid SQL Injection Attacks
- Never trust any User: If the screen is Login with Username and Password, user should not be allowed to enter special characters such as single quote (‘) and double quotes (‘’). This helps in preventing the SQL Injection basic attack to make the condition true.
- Always pass input as parameters: Always application code should be implemented in such a way that input values should be passed to query as parameterized value. In C#, we can user SqlParameter class to create to pass parameter value.
- Use Stored procedures: Always prefer Stored Procedure for any query execution and pass the parameter to the stored procedure from the application.
- Avoid using dynamic SQL: Use dynamic SQL only when it is really required. It increases the risk of SQL injection.
- Security testing should be done: It does not matter how accurately application implemented, security testing should be done against SQL Injection.
- Encrypt passwords: Always save the passwords in encrypted format.