Sunday, 15 April 2012

What is SQL Injection?

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.

The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the malefactor terminates the injected string with a comment mark "--". Subsequent text is ignored at execution time.

The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user:

var Shipcity;
ShipCity = Request.form ("ShipCity");
var sql = "select * from OrdersTable where ShipCity = '" + ShipCity + "'";

The user is prompted to enter the name of a city. If she enters Redmond, the query assembled by the script looks similar to the following:

SELECT * FROM OrdersTable WHERE ShipCity = 'Redmond'

However, assume that the user enters the following:

Redmond'; drop table OrdersTable--

In this case, the following query is assembled by the script:

SELECT * FROM OrdersTable WHERE ShipCity = 'Redmond';drop table OrdersTable--'

The semicolon (;) denotes the end of one query and the start of another. The double hyphen (--) indicates that the rest of the current line is a comment and should be ignored. If the modified code is syntactically correct, it will be executed by the server. When SQL Server processes this statement, SQL Server will first select all records in OrdersTable where ShipCity is Redmond. Then, SQL Server will drop OrdersTable.

As long as injected SQL code is syntactically correct, tampering cannot be detected programmatically. Therefore, you must validate all user input and carefully review code that executes constructed SQL commands in the server that you are using.


  1. "Even parameterized data can be manipulated by a skilled and determined attacker."

    Would you mind explaining this one? I can't see how you can inject malicious code if you're using parameterized queries. In fact that is a very easy way to get around the problem.

    Parameterized queries also perform much better as the query doesn't have to be parsed, compiled and optimized each time.

  2. thats true yes, injection is not blockable unless overall server architecture has blocking logic

  3. CreateTable' on the load of page. It will create table at runtine and will change the innerHTML of tag at runtime. dissertation Take TDatabase delphi component on you delphi form (dfm file). Now set following setting to TDatabase delphi component.

  4. This comment has been removed by the author.

  5. That phrase really is similar and also entertaining, because of the writer

  6. This is really good thing. I use SQL every day.

  7. One important item for Eagle Watch: due to high winds yesterday help on writing an essay, we were unable to have the spotting scopes, information pamphlets.......

  8. Thank you for sharing this post, I really want to share some photos and videos about this topic. Love to read very informative essay like this one.