4.5  SQL Injection

SQL Injection is an attack technique used to exploit web sites that

construct SQL statements from user supplied input.

Structured Query Language (SQL) is a specialized programming

language for sending queries to databases. Most small and industrial 

strength database applications can be accessed using SQL

statements. SQL is both an ANSI and an ISO standard. However,

many database products supporting SQL do so with proprietary

extensions to the standard language. Web applications may use

user supplied input to create custom SQL statements for dynamic

web page requests.

When a web application fails to properly sanitize user supplied input,

it is possible for an attacker to alter the construction of backend SQL

statements. When an attacker is able to modify a SQL statement, the

process will run with the same permissions as the component that

executed the command. (e.g. Database server, Web application

server, Web server, etc.). The impact of this attack can allow

attackers to gain total control of the database or even execute

commands on the system.

The same advanced exploitation techniques available in LDAP

Injection can also be similarly applied to SQL Injection.

Example

A web based authentication form might have code that looks like the

following:

SQLQuery = "SELECT Username FROM Users WHERE

Username =  " & strUsername & "  AND Password =  "

& strPassword & " " strAuthCheck =

GetQueryResult(SQLQuery)

36

Copyright 2004, Web Application Security Consortium. All rights reserved.