Table of Contents Source referencesIntro
This article mainly refers to another external source.
Textual copies of following sources were used:
Quoted text is in italic. Please check the TNWiki Terms of Use section for more information. The TOU page also contains contact details in case the owner of the copyright wants to provide feedback. As stated on the Wiki main page you can also Provide site feedback on the TechNet Wiki directly.
Derived from sources (1) and (2)
SQL injection represents skills to take advantage of non-validated input vulnerabilities to initiate SQL commands through a Web application for executing via a back end database. Remote attackers are able to take advantage of the fact that most programmers often chain together SQL commands with user-provided parameters due to their lazy attitude, and are able to embed SQL commands inside these parameters. Usually the remote attacker will execute arbitrary SQL queries and/or commands on the back end database server through the Web application. Quoted from source (1) Details Databases are fundamental components of Web applications. Databases enable Web applications to store data, preferences and content elements. Using SQL, Web applications interact with databases to dynamically build customized data views for each user. A common example is a Web application that manages products. In one of the Web application's dynamic pages (such as ASP), users are able to enter a product identifier and view the product name and description. The request sent to the database to retrieve the product's name and description is implemented by the following SQL statement.
SELECT ProductName, ProductDescription
FROM Products
WHERE ProductNumber = ProductNumber
Typically, Web applications use string queries, where the string contains both the query itself and its parameters. The string is built using server-side script languages such as ASP, JSP and CGI, and is then sent to the database server as a single SQL statement. The following example demonstrates an ASP code that generates a SQL query.
sql_query= "
WHERE ProductNumber = " & Request.QueryString("ProductID")
The call Request.QueryString("ProductID") extracts the value of the Web form variable ProductID so that it can be appended as the SELECT condition.
When a user enters the following URL:
http://www.mydomain.com/products/products.asp?productid=123
The corresponding SQL query is executed:
WHERE ProductNumber = 123
An attacker may abuse the fact that the ProductID parameter is passed to the database without sufficient validation. The attacker can manipulate the parameter's value to build malicious SQL statements. For example, setting the value "123 OR 1=1" to the ProductID variable results in the following URL:
http://www.mydomain.com/products/products.asp?productid=123 or 1=1
The corresponding SQL Statement is:
SELECT ProductName, Product Description
WHERE ProductNumber = 123 OR 1=1
This condition would always be true and all ProductName and ProductDescription pairs are returned. The attacker can manipulate the application even further by inserting malicious commands. For example, an attacker can request the following URL:
http://www.mydomain.com/products/products.asp?productid=123; DROP
TABLE Products
In this example the semicolon is used to pass the database server multiple statements in a single execution. The second statement is "DROP TABLE Products" which causes SQL Server to delete the entire Products table.
An attacker may use SQL injection to retrieve data from other tables as well. This can be done using the SQL UNION SELECT statement. The UNION SELECT statement allows the chaining of two separate SQL SELECT queries that have nothing in common. For example, consider the following SQL query:
WHERE ProductID = '123' UNION SELECT Username, Password FROM Users;
The result of this query is a table with two columns, containing the results of the first and second queries, respectively. An attacker may use this type of SQL injection by requesting the following URL:
http://www.mydomain.com/products/products.asp?productid=123 UNION
SELECT user-name, password FROM USERS
" (end of quote) Alternate scripts for SQL injection is also known as...
statement = "SELECT * FROM users WHERE name = '" + userName + "';"
' or '1'='1
' or '1'='1' -- '
' or '1'='1' ({ '
' or '1'='1' /* '
SELECT * FROM users WHERE name = '' OR '1'='1';
SELECT * FROM users WHERE name = '' OR '1'='1' -- ';
To prevent this.. from happening SQL Database maintenance is important... Always patch your Database to highest patch level. To minimize the risk of getting attack.
Microsoft also release a list of patches for SQL Database Injection. You may refer the below information.
http://technet.microsoft.com/en-us/security/bulletin/ms02-038
Carsten Siemens edited Revision 4. Comment: Pirated Content - see my comment
Carsten Siemens edited Original. Comment: Added tag: Candidate for deletion, Plagiarism. See my posted comment for details.
Good for knowledge !!!
This article is a plagiarism!
It's a textual copy from the web page of a company which offers security software products: www.imperva.com/.../sql_injection.html
Another source (or plagiated source) might be a post which was done by "nihil thakur" on June 2nd 2011 (i.e. a year before this article): hacktechworld.blogspot.de
NOTE: This article was reported as Pirated/Plagiarized Content (content you didn't write) and will be removed. Please do not steal content from others. If you feel we are mistaken, please leave a comment or email tnwiki at Microsoft with a link to this article and with clear and detailed reasons why you own the content or have explicit permission from the author.
Content was taken from:
www.imperva.com/.../sql_injection.html
hacktechworld.blogspot.de/.../sql-injection.html