SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

Slides:

Advertisements

Similar presentations

Understand Database Security Concepts

Advertisements

Introduction The concept of “SQL Injection”

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

Structured Query Language - SQL Carol Wolf Computer Science.

PHP (2) – Functions, Arrays, Databases, and sessions.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

DT211 Stage 2 Databases Lab 1. Get to know SQL Server SQL server has 2 parts: –A client, running on your machine, in the lab. You access the database.

Structured Query Language SQL: An Introduction. SQL (Pronounced S.Q.L) The standard user and application program interface to a relational database is.

SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.

+ Housekeeping Project/assignment 6/quiz 6 questions? Quiz 6: Query optimization, database security At 9:10, you’ll have 15 minutes to do on- line student.

EC500 Lecture Made By: Jiaxi Jin, Rashmi Shah, Ludovico Fontana Boston University.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

MIS Week 11 Site:

Session 5: Working with MySQL iNET Academy Open Source Web Development.

Chapter 5 Introduction to SQL. Structured Query Language = the “programming language” for relational databases SQL is a nonprocedural language = the user.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

CS 3630 Database Design and Implementation. Your Oracle Account UserName is the same as your UWP username Followed Not case sensitive Initial.

Attacking Applications: SQL Injection & Buffer Overflows.

Programming using C# Joins SQL Injection Stored Procedures

Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.

Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.

CSC 2720 Building Web Applications Database and SQL.

(Chapter 10 continued) Our examples feature MySQL as the database engine. It's open source and free. It's fully featured. And it's platform independent.

Copyright © 2013 Curt Hill Database Security An Overview with some SQL.

Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Copyright © 2010 Certification Partners, LLC -- All Rights Reserved Perl Specialist.

® IBM Software Group © 2006 IBM Corporation EGL/Web Project QuickStart – 2 of 4 – Creating the Business Logic Layer These slides walk you through the process.

ASP.NET More on searching databases 1ASP.NET, More on searching databases.

SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister.

Security Considerations Steve Perry

Copyright © 2003 ProsoftTraining. All rights reserved. Perl Fundamentals.

Creating a simple database This shows you how to set up a database using PHPMyAdmin (installed with WAMP)

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Form Handling IDIA 618 Fall 2014 Bridget M. Blodgett.

JDBC CS 260 Database Systems. Overview  Introduction  JDBC driver types  Eclipse project setup  Programming with JDBC  Prepared statements  SQL.

Security Issues With Web Based Systems. Security Issues Web Based Systems  Security can not be considered an add-on or afterthought  Security must be.

IS2803 Developing Multimedia Applications for Business (Part 2) Lecture 1: Introduction to IS2803 Rob Gleasure

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Preventing MySQL Injection Sonja Parson COSC 5010 Security Presentation April 26, 2005.

Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

SQL Injection Attacks An overview by Sameer Siddiqui.

ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.

Programming for the Web MySQL Command Line Using PHP with MySQL Dónal Mulligan BSc MA

SQL Injection By: Ayman Mohamed Abdel Rahim Ali Ehab Mohamed Hassan Ibrahim Bahaa Eldin Mohamed Abdel Sabour Tamer Mohamed Kamal Eldin Jihad Ahmad Adel.

M M Waseem Iqbal.  Cause: Unverified/unsanitized user input  Effect: the application runs unintended SQL code.  Attack is particularly effective if.

CS242 SQL. What is SQL? SQL:  stands for Structured Query Language  allows you to access a database  is an ANSI standard computer language  can execute.

Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.

SQL Injection Attacks.

Database and Cloud Security

Database System Implementation CSE 507

Group 18: Chris Hood Brett Poche

Chapter 5 Introduction to SQL.

Example – SQL Injection

Unix System Administration

Pengantar Keamanan Informasi

Website Development Basics with PHP MySQL

Intro to Ethical Hacking

ISC440: Web Programming 2 Server-side Scripting PHP 3

PHP: Security issues FdSc Module 109 Server side scripting and

Chapter 13 Security Methods Part 3.

Lecture 2 - SQL Injection

Intro to Ethical Hacking

Presentation transcript:

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006

Context and Observations on this Slide Deck This slide deck was developed for use in a senior-level course providing an introduction to Web technologies and Web Engineering (UCSC CS 183) at UC Santa Cruz. The course was geared towards use of PHP and MySQL, and hence some examples in the deck identify specific PHP functions, or use PHP syntax. Students are assumed to already know SQL (a database course is prerequisite for CS 183) This was the first time this deck was used. It could be improved by adding a more in-depth scenario showing a SQL injection attack, and by showing a more in-depth code example protecting against SQL injection. Generally, students understood the concept of SQL injection, but were more shaky on how to integrate all of the techniques to guard against it in an actual Web application.

What is a SQL Injection Attack? Many web applications take user input from a form Often this user input is used literally in the construction of a SQL query submitted to a database. For example: –SELECT productdata FROM table WHERE productname = ‘user input product name’; A SQL injection attack involves placing SQL statements in the user input

An Example SQL Injection Attack Product Search: This input is put directly into the SQL statement within the Web application: –$query = “SELECT prodinfo FROM prodtable WHERE prodname = ‘”. $_POST[‘prod_search’]. “’”; Creates the following SQL: –SELECT prodinfo FROM prodtable WHERE prodname = ‘blah‘ OR ‘x’ = ‘x’ –Attacker has now successfully caused the entire database to be returned. blah‘ OR ‘x’ = ‘x

A More Malicious Example What if the attacker had instead entered: –blah‘; DROP TABLE prodinfo; -- Results in the following SQL: –SELECT prodinfo FROM prodtable WHERE prodname = ‘blah’; DROP TABLE prodinfo; --’ –Note how comment (--) consumes the final quote Causes the entire database to be deleted –Depends on knowledge of table name –This is sometimes exposed to the user in debug code called during a database error –Use non-obvious table names, and never expose them to user Usually data destruction is not your worst fear, as there is low economic motivation

Other injection possibilities Using SQL injections, attackers can: –Add new data to the database Could be embarrassing to find yourself selling politically incorrect items on an eCommerce site Perform an INSERT in the injected SQL –Modify data currently in the database Could be very costly to have an expensive item suddenly be deeply ‘discounted’ Perform an UPDATE in the injected SQL –Often can gain access to other user’s system capabilities by obtaining their password

Defenses Use provided functions for escaping strings –Many attacks can be thwarted by simply using the SQL string escaping mechanism ‘  \’ and “  \” –mysql_real_escape_string() is the preferred function for this Not a silver bullet! –Consider: SELECT fields FROM table WHERE id = 23 OR 1=1 No quotes here!

More Defenses Check syntax of input for validity –Many classes of input have fixed languages addresses, dates, part numbers, etc. Verify that the input is a valid string in the language Sometime languages allow problematic characters (e.g., ‘*’ in addresses); may decide to not allow these If you can exclude quotes and semicolons that’s good –Not always possible: consider the name Bill O’Reilly Want to allow the use of single quotes in names Have length limits on input –Many SQL injection attacks depend on entering long strings

Even More Defenses Scan query string for undesirable word combinations that indicate SQL statements –INSERT, DROP, etc. –If you see these, can check against SQL syntax to see if they represent a statement or valid user input Limit database permissions and segregate users –If you’re only reading the database, connect to database as a user that only has read permissions –Never connect as a database administrator in your web application

More Defenses Configure database error reporting –Default error reporting often gives away information that is valuable for attackers (table name, field name, etc.) –Configure so that this information is never exposed to a user If possible, use bound variables –Some libraries allow you to bind inputs to variables inside a SQL statement –PERL example (from injection.html) $sth = $dbh->prepare("SELECT , userid FROM members WHERE = ?;"); $sth->execute($ );