SQL Injection

Post Reply New Topic

I am testing a website and want to try out some SQL statements in the input boxes. Anyone know any sophisticated SQL to use?

I am not a hacker but my website needs to validate input from users and I don't want typical SQL injection to work for anyone.

Here's a classic example from XKCD

Injection attacks commonly include special SQL characters, such as single quotes ('), semicolons, and dashes. Take a look at http://en.wikipedia.org/wiki/SQL_injection for some other examples
In the comic strip, the single quote after "Robert" prematurely terminates the string and a semicolon terminates the statement. In the strip, there was a table named "Students" that got deleted by the DROP statement, with two dashes at the end to comment out the rest of the originally intended command. For your website, you could use something a little more harmless, such as "Robert'; SELECT 'Hello, world';"

What sort of SQL server are you using? Are you on MySQL, MSSQL, Oracle, etc? I work normally in a MSSQL and .NET environment. To protect against injections, if I am executing a INSERT or UPDATE statement, instead of building a string containing the command at run time, I declare the entire INSERT/UPDATE string in code and replace the values with parameters e.g.:

and then set the parameters of the SqlCommand object, or use stored procedures or LINQ to run CRUD operations. Another method I have used (especially in Access), is to creat a "sanitize" function that escapes special characters

Also look into the UNION statement, which can be extremely helpful in harvesting data through SQL injection. Imagine having a URL like this:

It might use an SQL query like this to retrieve the data about the pet:


If the URL parameter is vulnerable to SQL injection, it could be exploited like this:


The condition prevents the intended information to be shown, and instead it would show login information about one or more users.

Trying to detect a SQL injection attempt and relying on that for the security of a web application is a very big risk. Since the SQL can be obfuscated in so many ways, there's always a realistic possibility that a skilled hacker could work around it.

Like Will suggested, the most reliable way is to use prepared statements, which will escape the query parameters in the proper and safe way. It's recommended to use prepared statements for every query, to prevent so-called second order SQL injection attacks, where the output of the first query is later passed to a second query. If the output isn't escaped properly, it could be used to perform an SQL injection with the second query.

All the most popular programming languages have libraries that support prepared statements, it's highly recommended to use those.

Hi thanks for your replies, both of them are helpful. Love the cartoon too!

I will use prepared statements, you have convinced me. I created a website over the past few weeks in .net with SQL Server, before I host it I want to make sure its secure so am reading up about securing a site.

So prepared statements will sort out the sql injection, that is good. Do any of you know about code injection?

My website is fictitious, it is a mock E-business site. So if someone managed to delete the DB it would not cause major problems. However, I want to make it as secure as I can.

Do you know what the minimum level of security should be for it?

It does not use any browser scripts, only server scripts, and the input from users is restricted. It is mostly a control clicking journey that users would take through it, but there is login and the possibility of creating a profile.