SQL INJECTION (SQLI)
Last updated
Last updated
SQLi are attacks against relational database management systems (RDBMS) such as MySQL. NoSQLi attacks are those against non RDBMS such as MongoDB. SQLi attacks occurs when a malicious user attempts to pass input that changes the final SQL query sent by the web application to the database, enabling the user to perform other unintended SQL queries directly against the database.
SQLi process starts by injecting code outside the expected user input limits, so it does not get executed as simple user input. this is done through the injection of a single quote (') or a double quote (") to escape the limits or bounds of the user input and inject data directly into the SQL query. afterward, make up a working query that executes both the intended and the new SQL queries using queries or using queries. lastly, interpret the new query's output or capture it on the web application's front end.
To make SQLi work, ensure that the newly modified SQL query is still valid and does not have any syntax errors after our injection. this is accomplished by using comments or passing in multiple single quotes.
this type of SQLi the output of both the intended and the new query may be printed directly on the front end, and can be directly read
UNION-BASED SQLI: requires specifying the exact location, 'i.e., column', which we can read, so the query will direct the output to be printed there
ERROR-BASED SQLI: this is used when we can get the PHP or SQL errors in the front-end, and so we may intentionally cause an SQL error that returns the output of our query.
this type doesn't provide visual output, so threat actors utilize SQL logic to retrieve the output character by character
BOOLEAN-BASED SQLI: uses SQL conditional statements to control whether the page returns any output, 'i.e., original query response,' if the conditional statement returns true
TIME-BASED SQLI: uses SQL conditional statements that delay the page response if the conditional statement returns true using the sleep() function
this type directs the output to a remote location, 'i.e., DNS record,' and then attempt to retrieve it from there as there is no direct access to the output
sanitizing any user input will render injections useless.
use functions that escape characters sch as ' and ", so they don't hold any special meaning.
use parameterized queries. Parameterized queries contain placeholders for the input data, which is then escaped and passed on by the drivers. Instead of directly passing the data into the SQL query, we use placeholders and then fill them with PHP functions.
ensure user input data matches the expected form input
e.g., when taking an email as input, validate that the input is in the form of ...@email.com, etc.
ensure users querying the database only has minimum permissions.
Superusers and users with administrative privileges should never be used with web applications. These accounts have access to functions and features, which could lead to server compromise.
Web Application Firewalls (WAF) are used to detect malicious input and reject any HTTP requests containing them. This helps in preventing SQL Injection even when the application logic is flawed. WAFs can be open-source (ModSecurity) or premium (Cloudflare). Most of them have default rules configured based on common web attacks
e.g., any request containing the string INFORMATION_SCHEMA would be rejected, as it's commonly used while exploiting SQL injection.
is for MySQL
is for PostgreSQL
the function will safely escape any quotes and place the values in the query.
the function checks if the input matches the given pattern or not
