SQL Injection: What it is and how to

prevent it

Preventing SQL Injection Attacks

SQL injection is the hacking technique which attempts to pass SQL commands through a web
application for execution by a backend database. Firewalls and similar intrusion detection
mechanisms provide little defense against full-scale web attacks. This paper describes SQL
Injection, gives examples of SQL Injection attacks and suggests ways in which to prevent them.

www.acunetix.com 1
 SQL Injection: What it is and how to prevent it Deleted: SQL Injection: What
is it and how to prevent it

Table of Contents

What is SQL Injection? 3

SQL Injection: A Simple Example 5

Why is it possible to pass SQL queries directly to a database that is hidden behind a firewall and
any other security mechanism? 6

Is my database at risk to SQL Injection? 7

What is the impact of SQL Injection? 8

Example of a SQL Injection Attack 8

How do I prevent SQL Injection attacks? 9

How to check for SQL injection vulnerabilities 9

Signature-Matching versus Heuristic Scanning for SQL Injection 9

How can Acunetix help you in auditing your site for SQL Injection? 10

Acunetix SiteAudit – On-Demand Web Security 10

About Acunetix 11

www.acunetix.com 2
 SQL Injection: What it is and how to prevent it Deleted: SQL Injection: What
is it and how to prevent it

What is SQL Injection?

SQL Injection is one of the many web attack mechanisms used by hackers to steal data from
organizations. It is, perhaps, one of the most common application layer attack techniques used
today.

The Web Application Layer

It is important to distinguish the web application layer and what happens therein before delving into
the details of SQL Injection.

Web applications allow legitimate website visitors to submit and retrieve data to/from a database
over the Internet using their preferred web browser.

Databases are central to modern websites – they store data needed for websites to deliver specific
content to visitors and render information to customers, suppliers, employees and a host of
stakeholders. User credentials, financial and payment information, company statistics may all be
resident within a database and accessed by legitimate users through off-the-shelf and custom web
applications. Web applications and databases allow you to regularly run your business.

The figure below details the three-layered web application model. The first layer is normally a web
browser or the user interface; the second layer is the content generation technology tool such as
Java servlets (JSP) or Active Server Pages (ASP), and the third layer is the company database
containing content (e.g., news) and customer data (e.g., usernames and passwords, social
security numbers and credit card details).

This figure highlights the web application server residing between the web server and the
database. Loosely put, it is the web application that manages the requests to the database to
deliver the requested content to the user. Also, users may modify some of the data (e.g., updating
an email address, changing a password, posting a blog) through the web application.

For this model to function efficiently the Web Application has direct and open access to the
database.

www.acunetix.com 3
 SQL Injection: What it is and how to prevent it Deleted: SQL Injection: What
is it and how to prevent it

Typically, organisations would construct a solid shield around the database and the web servers
with firewalls, switches, intrusion detection systems and possible even web application firewalls.

They would also encrypt the communication between the user and the web application so this is
not intercepted or hijacked by possible hackers

The user has no access to the database itself but the web application has to function properly

In a legitimate scenario, where a person wants to buy a book, a car, an insurance, this is perfectly
fine and the data is safe because the IT Manager has made double sure he/she is protecting the
assets correctly.

Yet what happens when a hacker comes along? What are the security issues then related to web
applications?

SQL Injection – A Definition

SQL Injection is the hacking technique which attempts to pass SQL commands through a web
application for execution by the backend database. If not santised properly, web applications may
result in SQL Injection attacks that allow hackers to view information from the database, copy it
elsewhere for later use and/or even wipe it out.

www.acunetix.com 4
 SQL Injection: What it is and how to prevent it Deleted: SQL Injection: What
is it and how to prevent it

Such features as login pages, support and product request forms, feedback forms, search pages,
shopping carts, forums, blogs, community pages and the general delivery of dynamic content,
shape modern websites. These are all examples of web applications and provide businesses with
the long-awaited means to communicate more actively with prospects and customers.

Whether purchased off-the-shelf or custom-built to suit particular requirements, web applications

may all be susceptible to SQL Injection attacks.

SQL Injection: A Simple Example

Take a simple login page where a legitimate user would enter a username and password
combination to enter a secure area to view personal details or upload comments onto a forum.

When he submits his details, an SQL query is generated from these details and is submitted to the
database for verification. If valid, the user is allowed access. In other words, the web application
that controls the login page will communicate with the database through a series of planned
commands so as to verify the username and password combination. On verification, the legitimate
user is granted appropriate access.

Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of
bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs
are not properly sanitised (i.e., made invulnerable) and sent directly with the SQL query to the
database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to
the database.

The technologies vulnerable to this attack are dynamic script languages including ASP, ASP.NET,
PHP, JSP, and CGI. All an attacker needs to perform an SQL Injection hacking attack is a web
browser, knowledge of SQL queries and creative guess work to important table and field names.
The sheer simplicity of SQL Injection has fuelled its popularity.

www.acunetix.com 5
 SQL Injection: What it is and how to prevent it Deleted: SQL Injection: What
is it and how to prevent it

Why is it possible to pass SQL queries directly to a database that is hidden behind
a firewall and any other security mechanism?
Firewalls and similar intrusion detection mechanisms provide little or no defense against full-scale
SQL Injection web attacks.

Since a website needs to be public, standard security mechanisms will allow public web traffic to
communicate with your web application/s (generally over port 80/443). The web application has
open access to the database in order to return (update) the requested (changed) information.

In SQL Injection, the hacker uses SQL queries and creativity to get to the database of sensitive
corporate data through the web application.

SQL or Structured Query Language is the computer language that allows you to store, manipulate,
and retrieve data stored in a relational database (or a collection of tables which organise and
structure data). SQL is, in fact, the only way that a web application (and users) can interact with
the database. Examples of relational databases include Oracle, Microsoft Access, MS SQL
Server, MySQL, and Filemaker Pro, all of which use SQL as their basic building blocks.

www.acunetix.com 6
 SQL Injection: What it is and how to prevent it Deleted: SQL Injection: What
is it and how to prevent it

SQL commands include SELECT, INSERT, DELETE and DROP TABLE. DROP TABLE is as
ominous as it sounds and in fact will eliminate the table with a particular name.

In the legitimate scenario of the login page example above, the SQL commands planned for the
web application may look like the following:

SELECT count(*)
FROM users_list_table
WHERE username=’FIELD_USERNAME’
AND password=’FIELD_PASSWORD”

In plain English, this SQL command (from the web application) instructs the database to match the
username and password input by the legitimate user to the combination it has already stored.

Each type of web application is hard coded with specific SQL queries that it will execute when
performing its legitimate functions and communicating with the database. If any input field of the
web application is not properly sanitised, a hacker may inject additional SQL commands that
broaden the range of SQL commands the web application will execute, thus going beyond the
original intended design and function.

A hacker will thus have a clear channel of communication (or, in layman terms, a tunnel) to the
database irrespective of all the intrusion detection systems and network security equipment
installed before the physical database server.

Is my database at risk to SQL Injection?

SQL Injection is one of the most common application layer attacks currently being used on the
Internet. Despite the fact that it is relatively easy to protect against SQL Injection, there are a large
number of web applications that remain vulnerable.

According to the Web Application Security Consortium (WASC) 9% of the total hacking incidents
reported in the media until 27th July 2006 were due to SQL Injection. More recent data from our
own research shows that about 50% of the websites we have scanned this year are susceptible to
SQL Injection vulnerabilities.

It may be difficult to answer the question whether your web site and web applications are
vulnerable to SQL Injection especially if you are not a programmer or you are not the person who
has coded your web applications.

Our experience leads us to believe that there is a significant chance that your data is already at
risk from SQL Injection.

Whether an attacker is able to see the data stored on the database or not, really depends on how
your website is coded to display the results of the queries sent. What is certain is that the attacker
will be able to execute arbitrary SQL Commands on the vulnerable system, either to compromise it
or else to obtain information.

If improperly coded, then you run the risk of having your customer and company data
compromised.

What an attacker gains access to also depends on the level of security set by the database. The
database could be set to restrict to certain commands only. A read access normally is enabled for
use by web application back ends.

Even if an attacker is not able to modify the system, he would still be able to read valuable
information.

www.acunetix.com 7
 SQL Injection: What it is and how to prevent it Deleted: SQL Injection: What
is it and how to prevent it

What is the impact of SQL Injection?

Once an attacker realizes that a system is vulnerable to SQL Injection, he is able to inject SQL
Query / Commands through an input form field. This is equivalent to handing the attacker your
database and allowing him to execute any SQL command including DROP TABLE to the
database!

An attacker may execute arbitrary SQL statements on the vulnerable system. This may
compromise the integrity of your database and/or expose sensitive information. Depending on the
back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system
access for the attacker. It may be possible to manipulate existing queries, to UNION (used to
select related information from two tables) arbitrary data, use subselects, or append additional
queries.

In some cases, it may be possible to read in or write out to files, or to execute shell commands on
the underlying operating system. Certain SQL Servers such as Microsoft SQL Server contain
stored and extended procedures (database server functions). If an attacker can obtain access to
these procedures, it could spell disaster.

Unfortunately the impact of SQL Injection is only uncovered when the theft is discovered. Data is
being unwittingly stolen through various hack attacks all the time. The more expert of hackers
rarely get caught.

Example of a SQL Injection Attack

Here is a sample basic HTML form with two inputs, login and password.

<form method="post" action="http://testasp.acunetix.com/login.asp">

<input name="tfUName" type="text" id="tfUName">
<input name="tfUPass" type="password" id="tfUPass">
</form>

The easiest way for the login.asp to work is by building a database query that looks like this:

SELECT id
FROM logins
WHERE username = '$username'
AND password = '$password’

If the variables $username and $password are requested directly from the user's input, this can
easily be compromised. Suppose that we gave "Joe" as a username and that the following string
was provided as a password: anything' OR 'x'='x

SELECT id
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'

As the inputs of the web application are not properly sanitised, the use of the single quotes has
turned the WHERE SQL command into a two-component clause.

The 'x'='x' part guarantees to be true regardless of what the first part contains.

This will allow the attacker to bypass the login form without actually knowing a valid username /
password combination!

www.acunetix.com 8
 SQL Injection: What it is and how to prevent it Deleted: SQL Injection: What
is it and how to prevent it

How do I prevent SQL Injection attacks?

Firewalls and similar intrusion detection mechanisms provide little defense against full-scale web
attacks. Since your website needs to be public, security mechanisms will allow public web traffic to
communicate with your databases servers through web applications. Isn’t this what they have
been designed to do?

Patching your servers, databases, programming languages and operating systems is critical but
will in no way the best way to prevent SQL Injection Attacks.

How to check for SQL injection vulnerabilities

Securing your website and web applications from SQL Injection involves a three-part process:

1 Analysing the present state of security present by performing a thorough audit of your website
and web applications for SQL Injection and other hacking vulnerabilities.
2 Making sure that you use coding best practice santising your web applications and all other
components of your IT infrastructure.
3 Regularly performing a web security audit after each change and addition to your web
components.

Furthermore, the principles you need to keep in mind when checking for SQL Injection and all
other hacking techniques are the following: “Which parts of a website we thought are secure are
open to hack attacks?” and “what data can we throw at an application to cause it to perform
something it shouldn’t do?”.

Checking for SQL Injection vulnerabilities involves auditing your website and web applications.
Manual vulnerability auditing is complex and very time-consuming. It also demands a high-level of
expertise and the ability to keep track of considerable volumes of code and of all the latest tricks of
the hacker’s ‘trade’.

The best way to check whether your web site and applications are vulnerable to SQL injection
attacks is by using an automated and heuristic web vulnerability scanner.

An automated web vulnerability scanner crawls your entire website and should automatically
check for vulnerabilities to SQL Injection attacks. It will indicate which URLs/scripts are vulnerable
to SQL injection so that you can immediately fix the code. Besides SQL injection vulnerabilities a
web application scanner will also check for Cross site scripting and other web vulnerabilities.

Signature-Matching versus Heuristic Scanning for SQL Injection

Whereas many organisations understand the need for automating and regularising web auditing,
few appreciate the necessity of scanning both off-the-shelf AND bespoke web applications. The
general misconception is these custom web applications are not vulnerable to hacking attacks.
This arises more out of the “it can never happen to me” phenomenon and the confidence website
owners place in their developers.

A search on Google News returned 240 matches on the keyword “SQL Injection” (at time of
writing) since the 14th October. Secunia and SecuObs report dozens of vulnerabilities of known
web applications on a daily basis. Yet, examples of hacked custom applications are rarely cited in
the media. This is because it is only the known organisations (e.g. Choicepoint, AT&T, PayPal)
that hit the headlines over the past few months.

It is critical to understand that custom web applications are probably the most vulnerable and
definitely attract the greatest number of hackers simply because they know that such applications
do not pass through the rigorous testing and quality assurance processes of off-the-shelf ones.

www.acunetix.com 9
 SQL Injection: What it is and how to prevent it Deleted: SQL Injection: What
is it and how to prevent it

This means that scanning a custom web application with only a signature-based scanner will not
pinpoint vulnerabilities to SQL Injection and any other hacking techniques.

Establishing and testing against a database of signatures of vulnerabilities for known applications
is not enough. This is passive auditing because it will only cover off-the-shelf applications and any
vulnerabilities to new hacking techniques will not be discovered. In addition, signature matching
would do little when a hacker launches an SQL Injection attack on your custom web applications.
Hack attacks are not based on signature file testing – hackers understand that known applications,
systems and servers are being updated and secured constantly and consistently by respective
vendors. It is custom applications that are the proverbial honey pot.

It is only a handful of products that deploy rigorous and heuristic technologies to identify the real
threats. True automated web vulnerability scanning almost entirely depends on (a) how well your
site is crawled to establish its structure and various components and links, and (b) on the ability of
the scanner to leverage intelligently the various hacking methods and techniques against your web
applications.

It would be useless to detect the known vulnerabilities of known applications alone. A significant
degree of heuristics is involved in detecting vulnerabilities since hackers are extremely creative
and launch their attacks against bespoke web applications to create maximum impact.

How can Acunetix help you in auditing your site for SQL Injection?
Acunetix was founded to combat the alarming rise in web attacks including SQL Injection and
Cross-Site Scripting among others.

You may either purchase and operate our flagship product Acunetix Web Vulnerability Scanner or
you may opt for our new on-demand web security audit service SiteAudit.

Acunetix SiteAudit – On-Demand Web Security

Acunetix SiteAudit provides you with an immediate and comprehensive security audit of all off-the-
shelf and bespoke web applications.

Performed by our web security experts using Acunetix Web Vulnerability Scanner, Acunetix
SiteAudit:

• Provides you with an immediate and comprehensive website security audit

• Ensures your website is secure against web attacks
• Checks for SQL injection, Cross site scripting and other vulnerabilities
• Audits shopping carts, forms, and dynamic content
• Scans all your website and web applications including Javascript / AJAX applications for
security vulnerabilities.

Acunetix SiteAudit grants you immediate access to the latest technologies and best practices in
web vulnerability scanning, eliminating your total cost of ownership. Take advantage of our
extensive expertise in the field of web security and vulnerability scanning.

With Acunetix SiteAudit, you can focus on what matters most - fixing SQL Injection and all other
web application vulnerabilities – while eliminating the installation, hardware, administration, and
maintenance costs typically associated with purchasing and running software.

www.acunetix.com 10
 SQL Injection: What it is and how to prevent it Deleted: SQL Injection: What
is it and how to prevent it

About Acunetix

Acunetix was founded to combat the alarming rise in web attacks. Its flagship product, Acunetix
Web Vulnerability Scanner, is the result of several years of development by a team of highly
experienced security developers. Acunetix is a privately held company with headquarters based in
Europe (Malta), a US office in Seattle, Washington and an office in London, UK. For more
information about Acunetix, visit: http://www.acunetix.com; http://www.acunetix.de.

© 2007 Acunetix Ltd. All rights reserved. The information contained in this document represents the current view of
Acunetix on the issues discussed as of the date of publication. Because Acunetix must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Acunetix, and Acunetix cannot guarantee the
accuracy of any information presented after the date of publication. This White Paper is for informational purposes only.
Acunetix MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Acunetix, Acunetix Web
Vulnerability Scanner and their product logos are either registered trademarks or trademarks of Acunetix Softwar e Ltd. in
the United States and/or other countries. All product or company names mentioned herein may be the trademarks of their
respective owners.

www.acunetix.com 11