Guide to SQL injection

So first of all, just what exactly is SQL injection? Simply put, SQL injection is the process of injecting unsanitized commands into a website and altering the original database query. This can range from retrieving information or deleting records to in extreme cases file upload.

Many websites use SQL as a means of retrieving information from a website, they can do this a number or ways but the simplest way to explain SQL injection is with an URL (GET) parameter. See the example PHP code below.

<?php

//vulnerable php/SQL query
$query = mysqli_query($database_connection, "SELECT * FROM `users` WHERE `id`='".$_GET['id']."'");


?>

As you can see the query uses the URL parameter without any checks or sensitization, this means that additional SQL query's could be inserted and so the application will be vulnerable to SQL injection attacks.

This is how an SQL injected query would look to the database, I'll explain whats happening further down in case you don't fully understand.

SELECT * FROM `users` WHERE `id`='-1' UNION SELECT `user`,`password` FROM `admin`--'

So whats going on here? The original query is trying to request the user which has an id of -1, as this does not exist it returns no results. However, after this number you can see the ' UNION. This simply means that the condition is closed and a new query is to be performed, see where this is going? Now that a second query can take place the attacker is able to retrieve information from another table, in this instance the admin table.

How SQL injection can be used to bypass login fields

Another example of SQL injection would be using it to bypass a login field. Typically when you see a username/password login field it will query the database, you'll see a sample query below.

$query = mysqli_query($database_connection, "SELECT * FROM `users` WHERE `username`='".$_POST['username']."' AND `password`='".$_POST['password']."'");

This example is using POST data, but this shouldn't effect our ability to inject SQL into the statement. Although this method of SQL injection is not as common, if the input has not been sanitized then the login field can be easily bypassed with some basic SQL true/false statements. See below for an example of this.

random' OR 1=1--

If a login field has not been correctly sanitized then an attacker has the potential to perform SQL injection and gain access to another users account, you'll be able to see the complete SQL query below.

SELECT * FROM `users` WHERE `username`='random' OR '1'='1'-- ' AND `password`=''

How to protect against SQL injection

SQL injection can be prevented a number of ways but the easiest and most effective way is to ensure your website code is safely written, see the example above? That can be fixed with a few simple lines or built in functions, one example can be seen below but it is recommend that you take additional precautions.

<?php

$id = mysqli_real_escape_string($database_connection, $_GET['id']);
$query = mysqli_query($database_connection, "SELECT * FROM `users` WHERE `id`='".$id."'");


?>

The only sure fire way of protecting again SQL injection would be to never trust any user input and make use of prepared statements. Should arctil find any SQL injection vulnerabilities it's recommended that you take action and patch it immediately.

Below are some examples of how you can best protect yourself from SQL injection vulnerabilities.

Still need help?

Are you having trouble using arctil? Why not try reaching out to our Community Forum.

Alternatively, you can try contacting us through the Contact page.