1.
Database Security
Chapter 5 -2: SQL Injection
Prof. Naoufel Kraiem
2022
1

2.
Introduction
 What is SQL Injection?
 Real World Examples
 Important SQL Syntax
 Example Website
 Prevention
2

3.
What is SQL Injection?
 Code Injection Technique
 Exploits Security Vulnerability
 Targets User Input Handlers
3

4.
Real World Examples
 On August 17, 2009, the United States Justice
Department charged an American citizen Albert
Gonzalez and two unnamed Russians with the theft
of 130 million credit card numbers using an SQL
injection attack.
 In 2008 a sweep of attacks began exploiting the
SQL injection vulnerabilities of Microsoft's IIS web
server and SQL database server. Over 500,000 sites
were exploited.
4

5.
5

6.
SQL injection
6

7.
7

8.
8

9.
9

10.
10

11.
11

12.
12
d
d
d
d
d

13.
SQL injection examples
There are a wide variety of SQL injection vulnerabilities, attacks, and
techniques, which arise in different situations. Some common SQL
injection examples include:
 Retrieving hidden data, where you can modify an SQL query to return
additional results.
 Subverting application logic, where you can change a query to
interfere with the application's logic.
 UNION attacks, where you can retrieve data from different database
tables.
 Examining the database, where you can extract information about
the version and structure of the database.
 Blind SQL injection, where the results of a query you control are not
returned in the application's responses.
https://portswigger.net/web-security/sql-injection
13

14.
Important Syntax
COMMENTS: --
Example: SELECT * FROM `table` --selects everything
LOGIC: ‘a’=‘a’
Example: SELECT * FROM `table` WHERE ‘a’=‘a’
MULTI STATEMENTS: S1; S2
Example: SELECT * FROM `table`; DROP TABLE `table`;
14

15.
Example Website
15

16.
16

17.
Example Website
timbo317
cse7330
SELECT * FROM `login` WHERE `user`=‘timbo317’ AND `pass`=‘cse7330’
17

18.
Login Database Table
user pass
timbo317 cse7330
What Could Go Wrong??
18

19.
Example Hack
’ OR ‘a’=‘a
’ OR ‘a’=‘a
SELECT * FROM `login` WHERE `user`=‘’ OR ‘a’=‘a’ AND `pass`=‘’ OR ‘a’=‘a’
19

20.
It Gets Worse!
’; DROP TABLE `login`; --
SELECT * FROM `login` WHERE `user`=‘’; DROP TABLE `login`; --’ AND `pass`=‘’
20

21.
All Queries are Possible
SELECT * FROM `login` WHERE `user`=‘’; INSERT INTO
`login` ('user','pass') VALUES ('haxor','whatever');--’ AND
`pass`=‘’
SELECT * FROM `login` WHERE `user`=‘’; UPDATE `login`
SET `pass`=‘pass123’ WHERE `user`=‘timbo317’;--’ AND
`pass`=‘’
21

22.
22

23.
23

24.
24

25.
25

26.
26

27.
27

28.
28

29.
29

30.
30

31.
31

32.
32

33.
33

34.
34

35.
Live Demonstration
How Can You Prevent This??
35

36.
Prevention
 Logic to allow only numbers / letters in username and password.
 How should you enforce the constraint?
SERVER SIDE.
 ‘ESCAPE’ bad characters.
’ becomes ’
 READ ONLY database access.
 Remember this is NOT just for login areas!
NOT just for websites!!
36

37.
Works Cited
 (SQL Injection Walkthrough)(SQL Injection)(SQL Injection)
 Friedl, S. (2009, 10 26). SQL Injection Attacks by Example.
Retrieved from Steve Friedl's Unixwiz.net Tech Tips:
http://unixwiz.net/techtips/sql-injection.html
 IBM Informix Guide to SQL: Syntax. (n.d.). Retrieved 10 26, 2009,
from IBM.COM:
http://publib.boulder.ibm.com/infocenter/idshelp/v10/index.jsp?t
opic=/com.ibm.sqls.doc/sqls36.htm
 SQL Injection. (n.d.). Retrieved 10 26, 2009, from SQL Server 2008
Books Online: http://msdn.microsoft.com/en-
us/library/ms161953.aspx
 SQL Injection. (n.d.). Retrieved 10 26, 2009, from php.net:
http://php.net/manual/en/security.database.sql-injection.php
 SQL Injection Walkthrough. (n.d.). Retrieved 10 26, 2009, from
Securiteam:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
37