What is the SQL injection and how to protect yourself
When we talk about the SQL injection, our mind automatically places us in a medical device that injects SQL code into our body with devastating effects. And this simile is not very different from reality. SQL injections are the biggest threat to our web projects and we must know how to be aware of this threat, which is more general than many developers believe. This is like many diseases, forgive me for the simile again, in which you think that only happens to other people, until the day that, by surprise, it is your turn. You don’t have to go around with little girls. An SQL injection on your website can bring down an entire database, with the consequent loss of data or sensitive information. If we do not have a backup system, you can assume that the project has gone down the drain without the opportunity of recovering the lost information.
It is not necessary to remember that, for our clients, the information collected on a website is vital for the maintenance of a website. That is why you have to defend yourself tooth and nail against this vulnerability, and today we explain how.
SQL injections are performed by hackers looking for vulnerabilities in the POST or GET requests of a website. As a general rule, these requests are later passed as parameters to some SQL query for inserting, editing, deleting, or querying information. Let’s put two well-differentiated cases. Let’s imagine that we have developed a blog. In it, to access the view of the articles, we pass the ID of the same by URL via GET. Afterward, we will receive it in the system and we will make the query in the database about the article of the ID that we receive by GET. Another different case, let’s imagine we have a registration form on our website. The fields that will be sent by POST will be entered directly in the users table within the database. You know what I mean by now, right? Well, this is what hackers take advantage of with their SQL injections. They adulterate the content of the requests, generating new sentences, crack the database, and corrupt it.
Okay, I know I’m getting my worst. Many of the SQL injections do not intend to kill all the information in the database, but rather to have access to all the information of the target application through information management. Although I do not know what is worse, or that they have direct access to all the data of our project, even the most compromised ones such as the personal data of users, or that they destroy fields, tables and even the entire database.
How to recognize an SQL injection:
There are many ways to carry out an attack with an SQL injection but in this article, we bring you the easiest way to do it. Not because it is simpler, it means that it harms less. I put you in the situation, we have on our website the typical login form in which we request an email and a password to validate the user and have access to new functions on the web.
If I want to perform an injection of SQL code, I could fill the first field with an email, for example, no [email protected] and in the second field, that of the password, I would complete it with this value: ‘or 1 = 1 –
When checking with an SQL query if that user exists, we would get this:
SELECT * FROM users WHERE email = '[email protected]' and password = '' or 1 = 1-
In the previous query, I indicate in bold the SQL injection that we have just processed. This injection would disable the statement by adding a logical OR operator plus an equality comparison that is true 1 = 1. This comparison would disable the rest of the query on the left and would provide a true logical operation that, as a result, would bring us the values from the database, giving final access to the application.
Notice that the example has been simple but devastating. There are more complex SQL injections, but with the advice that we give you below you can knock them out in a simple way.
How to protect against an SQL injection?
There are three basic actions that will allow you to evade these attacks.
Clean up requests for special characters:
As you have seen before, the injection has canceled the query of the password field by adding a single quote, although it could also have used a double quote. There are several ways to escape these special characters, for example, in PHP we have the mysql_real_scape_string () function that enables these types of characters not to interfere with the purpose of the query itself.
Delimits values in queries
Use single quotes to delimit each value within a query. This seems like a drawer, many developers forget. It’s not the same, take an example like this.
SELECT * FROM users WHERE id = $var
SELECT * FROM users WHERE id = '$var'
This combined with the advice above will make it very difficult for hackers who go with the syringe in hand.
Always check the data sent:
Check for strange characters. If the field is an email, check that what was sent has the same format as an email. If it’s a phone number, check its length and format as well. If what the user has to enter is a whole number, validate that this is the case. That is, verify that the data received is of the correct type and you will save yourself a lot of trouble.
When you want to make a strong Oracle DBA career then you should be aware of database services and other database technology. Without having knowledge of Oracle internals, Oracle performance tuning, and skill of Oracle database troubleshooting you can’t be an Oracle DBA expert. This expert DBA Team club blog always provides you latest technology news and database news to keep yourself up to date. You should need to be aware of Cloud database technology like DBaaS. These all Oracle DBA tips are available in a single unique resource at our orageek. Meanwhile, we are also providing some sql tutorials for Oracle DBA. This is the part of Dbametrix Group and you would enjoy more advanced topics from our partner resource.
Consider Reading to these articles: