What the best online resource to learn about SQL injection attacks?

[monero]

Hallo all,

I need a very conceptual and clear cut definition on sql attacks...there are so many forms of definition and material available on internet that I am just so confused...what the most reliable and authentic source to grasp this info.

Thanks

 

[Filip Larsen]

Welcome to PF!

If you are asking about what a SQL injection attach is in technical (rather that, say, legal) terms, then I'd say it pretty much covers any situation where an attacker via an authorized channel (i.e. via normal usage of a web form, SOAP call, email, etc) to a back-end system can modify the SQL statements this system issues towards a database in order to achieve a side effect not originally intended or allowed by the system (like updating the database with "malicious" content, leaking information or denying normal service). This should be understood in the general computer security context of being an attack that exploits a weakness in a system for unintended purposes.

If (something) like the above is not what you seek, then perhaps you can tell what it is that confuses you and what you hope to "use" such definition for.

 

[monero]

Welcome to PF!

If you are asking about what a SQL injection attach is in technical (rather that, say, legal) terms, then I'd say it pretty much covers any situation where an attacker via an authorized channel (i.e. via normal usage of a web form, SOAP call, email, etc) to a back-end system can modify the SQL statements this system issues towards a database in order to achieve a side effect not originally intended or allowed by the system (like updating the database with "malicious" content, leaking information or denying normal service). This should be understood in the general computer security context of being an attack that exploits a weakness in a system for unintended purposes.

If (something) like the above is not what you seek, then perhaps you can tell what it is that confuses you and what you hope to "use" such definition for.

Thank you for your attention

I read too many articles about this, that made me so confused. I really just want to know simple.

How to secure the database from SQL injection attacks, I do not understand how to maintain the security of a site using database mysq system

Thanks.

 

[Filip Larsen]

The usual method of securing your back-end code against SQL injection is to make sure all user data, i.e. all data the back-end receives from non-trusted parties no matter how it got transferred, is included into SQL statements using prepared statements with data inserted as parameters. The usual fallacy (security weakness) to look out for is an SQL statement constructed by textual appending the user data to the statement.

For instance (using Java, in other languages it would be similar) NEVER write

  Connection con = ...
  Statement stmt = con.createStatement();
  ResultSet rs = stmt.executeQuery("SELECT * FROM sometable WHERE user = '" + username + "'");

If the variable username is allowed to pass to this code unaltered from the user, he can specify his name as "bob'; delete from sometable where user = 'alice" (without the outermost quotes) and have your system delete data for alice (or something more nasty).

Instead you should write

  Connection con = ...
  Statement stmt = con.prepareStatement("SELECT * FROM sometable WHERE user = ?");
  stmt.setString(1, username);
  ResultSet rs = stmt.executeQuery();

where the important part is that you use the database driver to insert the user data in a safe manner (here using stmt.setString()). In general you need to check each SQL statement your back-end code constructs and make sure that it (using the above technique or something similar) do not allow user data to be inserted unchanged.

Other languages/libraries may use slightly more "unsafe" approach where you are to "escape" or "sanitize" variable with user data before you textually append them to your SQL statements. In any case, the key point is to follow the guidelines set forth by database library in order to avoid the possibility of SQL injections.

There are of course other attack types that may involve a database that would not necessarily be classified as an SQL injection (like denial of service, faulty business logic allowing otherwise valid SQL to be executed, information leakage, database driver or application code buffer overflows, date conversion errors, etc) so be on the lookout for other such weaknesses too.

 

[davee123]

How to secure the database from SQL injection attacks, I do not understand how to maintain the security of a site using database mysq system

If you're writing your own software (or modifying someone else's), you can secure yourself from SQL injection. If you are using someone else's software and don't know how to change it, or aren't able to, then you're at the mercy of the authors of the software, and cannot guarantee security.

If you're getting tripped up on the descriptions of SQL injection, I'm guessing that you're probably a site admin, but not a programmer. In that case, there's really not much (if anything) you can do, short of getting a programmer to fix the code on your site, or learning how to program yourself, and fixing the code.

Any way you slice it, the problem with SQL injection is the code. Short of having a VERY THOROUGH programmer go through your code and check it for weaknesses, the best you can do is simply keep your copy of the software up to date, and hope that all the security holes are caught.

DaveE