A Beginner's Guide To SQL Injections
What they are. How they work and how to prevent them.
SQL is a widely used tool for creating and managing databases in web applications. Let's imagine I'm building a web application to manage a school library. Data related to books, authors, and users would be stored in a database using SQL. This would allows for tracking the availability, borrowing, and return status of books.
There is a potential risk that a student may attempt to manipulate the database, such as changing the status of a borrowed book to read "returned", probably so he can keep the book for himself. One method to achieve this is through SQL injections—a type of cyberattack where malicious SQL code is inserted into a query to breach the website's security and gain unauthorized access to its database.
A good example of the impact of SQL injections involves the case of Albert Gonzalez, an American who used this technique to deploy backdoors on corporate systems. This unauthorized access facilitated packet sniffing attacks (packet sniffing is simply a way to intercept the data transferred from a computer network), enabling him to steal data from internal corporate networks, including approximately 170 million credit card and ATM numbers. Safeguarding your website against such cyberattacks is crucial.
How SQL Injections Work
Let's continue with our hypothetical scenario where the student hacker attempts to perform an SQL injection to gain unauthorized access to the library system. Suppose each library staff member has a unique username and associated password for logging in. The database stores this information, and a typical query to grant access might look like:
SELECT * FROM users WHERE username='username' AND password='password'
The query would run as soon as the staff member enters their username and password.
Just a quick word here: passwords are normally hashed for security reasons. You don't store passwords as plain text.
If our student wants to insert an SQL injection, they might input:
Username: ' OR '1'='1'; --Password: 1234
To see the impact of this action, let's look at the query;
SELECT * FROM users WHERE username= '' OR '1'='1'; -- AND password='1234';
As you can see, the injected SQL exploits the OR condition, allowing unauthorized access, as 1 always equals 1, even though the username space was just an empty string. The final line on the username input space also commented out the query for the password, thereby giving our student unauthorised access. This is known as a classic or Boolean-based SQL injection.
Types of Blind SQL Injections
When a hacker uses malicious SQL code to try to exploit an application's behaviour based on whether a condition is true or false, that's a blind SQL injection.
Boolean-based SQL injection
Like our earlier example, this type relies on forcing the application to return different results based on whether a query is TRUE or FALSE.
Time-based SQL injection
This one is similar to Boolean-based injection but delays the database response, with the delay determining whether or not the query is true or false.
Preventing SQL Injections
To safeguard your website against SQL injection attacks, consider the following measures:
1. Input Validation: Use input validation to ensure that user input aligns with expected types (e.g., strings, dates, emails). Treat user input as data, not executable code.
cursor.execute("SELECT * FROM users WHERE username = ? AND password = ?", (user_input_username, user_input_password))
2. Character Restriction
Block specific characters from being accepted in user input. For instance, permit only alphanumeric characters in queries.
import re
if not re.match("^[a-zA-Z0-9]+$", user_input):
# reject the input
Implementing these measures can significantly enhance your website's resilience against SQL injection attacks.