Coming Soon
Subscription Marketplace - Buy and sell subscription products and services
in Articles by
How hackers hack websites? and how to protect my website?

Please log in or register to reply to this topic.

2 replies

SQL Injection is one of the most common security vulnerabilities on the web. Here I'll try to explain in detail this kind of vulnerabilities with examples of bugs in PHP and possible solutions.

If you are not so confident with programming languages and web technologies you may be wondering what SQL stay for. Well, it's an acronym for Structured Query Language (pronounced "sequel"). It's "de facto" the standard language to access and manipulate data in databases.

Nowadays most websites rely on a database (usually MySQL) to store and access data.

Our example will be a common login form. Internet surfers see those login forms every day, you put your username and password in and then the server checks the credentials you supplied. Ok, that's simple, but what happens exactly on the server when he checks your credentials?

The client (or user) sends to the server two strings, the username and the password.

Usually the server will have a database with a table where the user's data are stored. This table has at least two columns, one to store the username and one for the password. When the server receives the username and password strings he will query the database to see if the supplied credentials are valid. He will use an SQL statement for that that may look like this:


For those of you who are not familiar with the SQL language, in SQL the ' character is used as a delimiter for string variables. Here we use it to delimit the username and password strings supplied by the user.

In this example we see that the username and password supplied are inserted into the query between the ' and the entire query is then executed by the database engine. If the query returns any rows, then the supplied credentials are valid (that user exists in the database and has the password that was supplied).

Now, what happens if a user types a ' character into the username or password field? Well, by putting only a ' into the username field and living the password field blank, the query would become:

SELECT * FROM users WHERE username=''' AND password=''

This would trigger an error, since the database engine would consider the end of the string at the second ' and then it would trigger a parsing error at the third ' character. Let's now what would happen if we would send this input data:

Username: ' OR 'a'='a
Password: ' OR 'a'='a

The query would become
SELECT * FROM users WHERE username='' OR 'a'='a' AND password='' OR 'a'='a'

Since a is always equal to a, this query will return all the rows from the table users and the server will "think" we supplied him with valid credentials and let as in - the SQL injection was successful :).

Now we are going to see some more advanced techniques.. My example will be based on a PHP and MySQL platform. In my MySQL database I created the following table:

username VARCHAR(128),
password VARCHAR(128),
email VARCHAR(128))

There's a single row in that table with data:

username: testuser
password: testing

To check the credentials I made the following query in the PHP code:

$query="select username, password from users where username='".$user."' and password='".$pass."'";

The server is also configured to print out errors triggered by MySQL (this is useful for debugging, but should be avoided on a production server).

So, last time I showed you how SQL injection basically works. Now I'll show you how can we make more complex queries and how to use the MySQL error messages to get more information about the database structure.

Lets get started! So, if we put just an ' character in the username field we get an error message like
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' and password=''' at line 1

That's because the query became

select username, password from users where username=''' and password=''
What happens now if we try to put into the username field a string like ' or user='abc ?
The query becomes

select username, password from users where username='' or user='abc ' and password=''

And this give us the error message
Unknown column 'user' in 'where clause'

That's fine! Using these error messages we can guess the columns in the table. We can try to put in the username field ' or email=' and since we get no error message, we know that the email column exists in that table. If we know the email address of a user, we can now just try with ' or email=' in both the username and password fields and our query becomes

select username, password from users where username='' or email='' and password='' or email=''

which is a valid query and if that email address exists in the table we will successfully login!

You can also use the error messages to guess the table name. Since in SQL you can use the table.column notation, you can try to put in the username field ' or user.test=' and you will see an error message like
Unknown table 'user' in where clause

Fine! Let's try with ' or users.test=' and we have
Unknown column 'users.test' in 'where clause'

so logically there's a table named users :).

Basically, if the server is configured to give out the error messages, you can use them to enumerate the database structure and then you may be able to use these informations in an attack.
Intrusion Prevention solutions detect and eliminate content-based threats from email, viruses, worms, intrusions, etc. in real time without degrading network performance. They detect and eliminate the most damaging, content-based threats from email and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time - without degrading network performance.

Today's global information infrastructure faces possible huge financial losses caused by ineffective Intrusion Prevention. Among the most vulnerable technologies are Providers of VoIP, video teleconferencing and data over cellular networks. While these providers have integrated into their products, the need for new Intrusion Prevention solutions is constant. Here are some of the area in which Intrusion Prevention offers effective solutions.

Instant Messaging - Intrusion Prevention
The real-time, interactive nature of Instant Messaging makes it a valuable tool for business partners, customers and fellow employees. The breach of security opportunities created by the use of IM must be managed for given its postion as a widely accepted business communications tool.  

Real Time Vulnerability - Intrusion Prevention
Real Time Vulnerability Protection Suite breaks away from the reactive method of chasing attacks after they happen to eliminating and protecting vulnerabilities on your systems. By protecting against known and unknown vulnerabilities, you can ensure data reliablity and sercurity.

Network Infrastructure - Intrusion Prevention
Intrusion Prevention protect the network infrastructure to carry on your business without disruption. Enterprise level solutions offer effectevie network intrusion prevention solutions (IPS) within the context of your company's comprehensive security policy.

Email - Intrusion Prevention
Financial Companies, manufactures, retailers, etc. use intrusion prevention to scan messages and attachments for viruses. Together with "preemptive" email security approach, effective intrusion prevention offers the best protection from spam and virus attacks.  

Application Level Attacks - Intrusion Prevention
A successful denial of service attack can put a corporate website off line for hours or more. Intrusion Prevention products offer the best protection against application level attacks and secure all networked applications, users and server resources.

Large Enterprises - Intrusion Prevention
Large Enterprises with widely dispersed Carrier & Data Center Networks need specially built high-performance security gateway Intrusion Prevention with proven firewall and IPSec VPN to deliver scalable network and application level security. Intrusion prevention protects the enterprise against the seemingly insignificant worm, virus, trojan, etc. that can topple its network.

Related topics

0 replies 533 views
posted in Articles by TwinNut
0 replies 942 views
posted in Articles by FatKomodoDragon
0 replies 862 views
posted in Articles by HairyMagpie
0 replies 701 views
posted in Articles by Explorer
0 replies 1,354 views
posted in Articles by Sassassin
0 replies 935 views
posted in Articles by TwinNut
0 replies 998 views
0 replies 950 views
0 replies 913 views
posted in Articles by AmazingKitty
0 replies 968 views
posted in Articles by Dragonig
0 replies 1,842 views