Saturday, January 16, 2010

SQL Injection

SQL Injection

When constructing websites where there is the facility for registering and the need for identifying users individually, then we need to have some setup to save user-names and passwords. Files do serve a good place to do it, but some times it is more of a bane than boon. That’s where databases replace the old age files. Databases have the specialty of saving data in the form of tables which are easy to search, modify, add and delete.
SQL is short for Structured Query Language, a powerful tool that help you deal with data saved in databases. You can find the login form in many websites these days. You will be authenticated to access extra facilities if you are in possession of the correct pair of user-name and password. Well, user-name is unique, which most of you will be aware of. Now a days most of the authentication process is done via SQL. So it becomes necessary to know some details of SQL queries.
select * from table; is a very common SQL query. The asterisk represents everything. During user authentication, a probable SQL query might be
$query – An SQL query.
$username – a variable having the user name provided by the user in the user name text box.
$password – a variable having the password provided by the user in the password text box.

$query = select password from logtable where username = ‘.$username.’;
$spass = mysql_query($query);
if ($password == $spass){
echo “User Authenticated”;
}

This is a simple “example”. Mind you it might not be following syntax rules or anything. What i have tried here is to explain is how a basic user authentication could be performed.
Note: There are many other methods, but this is a basic one and the one prone to SQL injection.
Now consider this query.
select password from logtable where username = ” or ‘a’ = ‘a’;
See that the where part of this statement returns true, because of ‘a’ = ‘a’. Due to this the query returns a true value that is similar to being authenticated. So instead of a user-name and password into the respective fields, if you enter this (‘ or ‘a’='a) without the brackets, then if the SQL query is an insecure one then you can be authenticated into the first entry! This is because the string ‘ or ‘a’='a comes in place of $username in the below query.
$query = select password from logtable where username = ‘.$username.’;
Try it out at www.fiitjee.com.
It’s prone to SQL injection for now. Hope they correct the code as soon as possible. The earlier the better for them!

No comments:

Post a Comment