info@knockoutsystem.com

Sandesh Bhattarai

Nov 21, 2017

PHP and SQL Injection

According to Wikipedia, “SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker)”. The first public discussions of SQL injection started appearing around 1998.

FORM OF SQL Injection

SQL injection (SQLI) is considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security Project. In 2013, SQLI was rated the number one attack on the OWASP top ten. There are four main sub-classes of SQL injection:

  1. Classic SQLI
  2. Blind or Inference SQL injection
  3. Database management system-specific SQLI
  4. Compounded SQLI
  5. SQL injection + insufficient authentication
  6. SQL injection + DDoS attacks
  7. SQL injection + DNS hijacking
  8. SQL injection + XSS
  9. The Storm Worm is one representation of Compounded SQLI.

This classification represents the state of SQLI, respecting its evolution until 2010—further refinement is underway.

TECHNICAL IMPLEMENTATION

INCORRECTLY FILTERED ESCAPE CHARACTERS

This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into an SQL statement. This results in the potential manipulation of the statements performed on the database by the end-user of the application. Consider the following sql statement:

statement = "SELECT * FROM users WHERE name = '" + userName + "';"

Now, the variable “userName” is crafted in a specific way by a malicious user, the query may do more than the code intended to.
Example,
Lets consider values of userName as:

' OR '1'=1
' OR '1'='1' --
' OR '1'='1' ({
' OR '1'='1' /*

The query will look like:

SELECT * FROM users WHERE name = '' OR '1'='1';
OR, 
SELECT * FROM users WHERE name = '' OR '1'='1' -- ';

which is always a true statement and a user can more append some queries as:

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';

PREVENTION:

1) To prevent from such unfiltered escape string, we have various methods to use.
The simplest and the easiest way is to use mysqli::escape_string();
Example:

 SELECT * FROM entiregorkha_users WHERE name = '\' OR \'1\'=\'1'
SELECT * FROM entiregorkha_users WHERE name = '\' OR \'1\'=\'1\' /*'

2)Use prepared statements and parameterized queries:
With the use of Prepare statement we can prevent sql injection in some extent. It is also one of the most common used method.
Example:

$stmt = $ConnectionObject->prepare('SELECT * FROM users WHERE name = ?');
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}

INCORRECR TYPE HANDLING

This form of SQL injection occurs when a user-supplied field is not strongly typed or is not checked for type constraints. This could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric.
Example:

"SELECT * FROM users WHERE id =" + userVariable + ";"

Here, userVariable should be integer or number type but if checking is not done and the user provided string value then,
Lets consider userVariable as : 1;DROP TABLE users
Then sql statement looks like:

SELECT * FROM users WHERE id=1; DROP TABLE users;

PREVENTION:

So before querying anything with the database, we need to check and handle the correct data type that the user provide.

BLIND SQL INJECTION

Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker.
Some forms are:

CONDITIONAL RESPONSES

One type of blind SQL injection forces the database to evaluate a logical statement on an ordinary application screen. As for example:

http://www.example.com/list.php?ID=5 This URL request the server to run following query:
SELECT * FROM bookreviews WHERE ID = 'Value(ID)';
what if some users intentionally changes the URL as: http://www.example.com/list.php?ID=5 OR 1=1

Then the query would like to be:

SELECT * FROM bookreviews WHERE ID = '5' OR '1'='1';

which is always a true condition

PREVENTION:

  1. Use of Prepared Statement before query
  2. Escape string while using the user input data.
Source: https://en.wikipedia.org/wiki/SQL_injection
http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php

Digitize Your Business ? Let’s Talk