Quick Hits: Understanding SQL Injections

The following is a quick post that should help you understand how SQL Injections work.

SQL Injection is a software vulnerability that is introduced into the computing environment when developers create dynamic SQL queries that require user input. These types of attacks can affect most programming languages with any type of database. The following is a example of unsafe JAVA code that is vulnerable to SQL injection:

String query = "SELECT account_transactions FROM user_data WHERE user_name = "
   + request.getParameter("customer_name");
 
 try {
 Statement statement = connection.createStatement( … );
 ResultSet results = statement.executeQuery( query );
 }

In this example we see that the request.getParameter() method is used to retrieve the input values (customer_name) from the form. However, since this value gets appended to the end of the query, an attacker can hypothetically change the query to retrieve information not intended to be shared. For the above example, an attacker can replace the “customer_name” parameter with ‘ ‘ or ‘1=1’. This would be an attempt to ensure that the query succeeds no matter what and to return all transactions for the customer specified in the ‘’ of the query.  

Thus, a query that is supposed to look like:

SELECT account_transactions FROM user_data WHERE user_name = someuser

Will be transformed to look like the below as the result of a SQL Injection Attack:

SELECT account_transactions FROM user_data WHERE user_name = '' OR 1=1

This will return all rows since 1=1 is always true.