Search This Blog

Monday, March 30, 2015

SQL Injection and Solution

Few days back I was reviewing a code and stumbled up on this SQL string creation:
&string = "SELECT EMPLID,E_ADDR_TYPE,EMAIL_ADDR FROM PS_EMAIL_ADDRESSES WHERE EMPLID=" | &Emplid;

The requirement was simple enough to get the email ID's through an input from the page. However, this code was vulnerable in its design, which can be a perfect
example for SQL injection technique.

What is SQL injection?
SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input. Injected SQL commands can alter SQL statement and compromise the security of a web application.

Since SQL statements are text only, it is easy, with a little piece of computer code, to dynamically change SQL statements to provide the user with selected data.


After providing the EMPLID 8000100485, the SQL String will look like this:
SELECT EMPLID,E_ADDR_TYPE,EMAIL_ADDR FROM PS_EMAIL_ADDRESSES WHERE EMPLID=800010048

However, if the user enters 8000100485 or 1=1 (This condition holds true always) in the input field, it opens the entire database for the user to retrieve.

The SQL string gets modified like below:
SELECT EMPLID,E_ADDR_TYPE,EMAIL_ADDR FROM PS_EMAIL_ADDRESSES WHERE EMPLID=8000100485 or 1=1

Few things to avoid SQL injection:
1. Avoid using SQL string generation method to the max
2. If you still use the SQL string method, use Quote function to wrap the input parameters in quotes and avoid SQL injection.

Using Quote function:
&string = "SELECT EMPLID,E_ADDR_TYPE,EMAIL_ADDR FROM PS_EMAIL_ADDRESSES WHERE EMPLID=" | Quote(&Emplid);

Result: SELECT EMPLID,E_ADDR_TYPE,EMAIL_ADDR FROM PS_EMAIL_ADDRESSES WHERE EMPLID='8000100485 or 1=1' (Notice the quote wrapping);

A little care can avoid the chances of getting hacked.

1 comment: