Hacking SQL

Written by Supakorn Laohasongkram on August 23th, 2014

I actually never tried hacking anything. However, after some research about "SQL injection," apparently SQL is easily hackable if one is not careful. This article aims to show some of the methods malicious hackers implemented to hack and exploit SQL database, then drives further into ways to prevent your site from being hacked.

What is SQL injection? Normally when you try to log in to your email or an account on a website, what you usually see are the boxes which ask you to input your username and password. And typically, a user would simply input his or her username and password. And log in. SQL injection is exactly the same, except instead of inputing the username and password, one inputs a code or a command which manipulate the database itself.

Take a look at this code sample.

								txtUserId = getRequestString("UserId");
								txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

The first line fetches the input from user then insert that into a SELECT an SQL statement. Everything seems to be correct, but wait til you see this next code.

What If This is What I Input? SQL Injection!

Username:
									SELECT * FROM Users WHERE UserId = 1 or 1=1 
									--BOOM! SHOW ALL FROM Users

The SQL statement would amazing be like so. The SQL above is perfectly valid and compatiable with the first code sample. And it will return all rows from the table Users, since WHERE 1=1 is always true. So now, I could access all of the information from users.

Now Try This! Deleting Database

Username:
									SELECT * FROM Users WHERE UserId = 1; DROP TABLE Suppliers;
									--BOOM! COLUMN Suppliers out the window!

Next thing you know the SQL Injection ended and began a new SQL statement for you saying "delete column suppliers!" Great..

And This! Email Me Your Password

Username:
								SELECT *
								FROM users
								WHERE userid = 1;
								UPDATE users
								SET email = 'my_email@hotmale.com'
								WHERE userid = 1;

Now all I have to do is click on the forgot my password and wait for the password in my email! Yay!

Measures Against SQL Injection

In my research, there is a definite pattern from the articles I read about how to deal with SQL Injection. All of them agree on one thing: use SQL parameter.

SQL parameter is a technique which seperate the user's input out from the SQL statement into a placeholder prior to excuting. By doing so, the input is converted and treated as "data" rather than actual code inside a SQL statement. Consequently, SQL injection now doesn't make sense.


© Copyright Supakorn Laohasongkram 2014