What is a Structured Query Language injection vulnerability ?


Many web developers are not aware of the SQL queries power and assume they are always reliable.

As its name suggests, SQL injection (or SQLi) is a method of exploiting a security vulnerability of an application which has interactions with a database. The principle is to inject a malicious SQL code into a query that will modify the expected effect and thus compromise the integrity of the data present in the database. This technique is used very often to bypass the authentication and authorization mechanisms of a web application.

An SQLi vulnerability may have serious consequences because a hacker can have unauthorized access to sensitive data. He will be able to read the database, save new data or execute malicious code. We all know the value and importance of the data, so it would be harmful for a site to undergo such a cyber attack.

Example :
We chose the example of the authentication system to illustrate the vulnerability but it could be present everywhere on a website. As long as a page contains an "input" field, there are risks of SQL injections if the requests are not protected.

When a user wants to log into a dynamic website, he must enter his username and password in specific fields (input type). The internal system will execute a query with the data entered in order to check that the user is present in the database, which is to say that its username and password are valid.

The SQL query executed by the system is:

SELECT user_id
FROM Users
WHERE name = '(identifiant)' AND password = '(Mot de passe hashé)';

If the script (PHP, JAVA, ASPX, ...) that executes the query does not check the incomming data, it is possible to attack the query by adding the following characters in the identifier field: ';--
Then the request becomes:

SELECT user_id
FROM Users
WHERE name = '(identifiant)'; --' AND password = '(Mot de passe hashé)';

Characters “--” mark the beginning of a SQL comment. So the second condition of the "WHERE" will not be executed. The user can then log in with any password as long as the entered user login is recorded in the database.

It is also possible to trick the SQL script on the password by entering the following code in the corresponding field : 'or 1 --

The apostrophe indicates the end of the input field of the user, the code "or 1" asks the script if 1 is true, which it is always the case. “--” indicates the start of a comment. When the system will check what the user is typing, it will see that 1 is true, and the attacker will be connected.


How to protect yourself against Structured Query Language injection vulnerabilities ?


To protect yourself against SQLi flaws, we advise you to use a prepared queries system (for example PDO for PHP). The query is compiled before being run to make sure it does not contain escape characters.