Exploiting an SQL Inject attack involves solving a puzzle that is a cross between Hangman and 20 Questions. It needs a little understanding of SQL and a great deal of cunning.



Try your Hacking skills against this test system. It takes you through the exploit step-by-step.



The SQL Injection attack allows external users to read details from the database. In a well designed system this will only include data that is available to the public anyway. In a poorly designed system this may allow external users to discover other users' passwords.

SQL injection is a a vulnerability that allows an end user to inject SQL queries into web forms.



THIS IS AN EXAMPLE OF SQL INJECTION:



$expected_data = 1;

$query = "SELECT * FROM users where id=$expected_data";



That will produce a regular query, while this code:



$spoiled_data = "1; DROP TABLE users;"

$query = "SELECT * FROM users where id=$spoiled_data";



will produce a malicious sequence:



SELECT * FROM users where id=1; DROP TABLE users;



It works because we are passing data directly into the query.



So, the data may alter the query and depending on the data passed, we will have either a regular output or the table `users` deleted.



While in the case of prepared statements we don't pass data directly into our query, and that's the point.



We are sending the query to the server first:



$db->prepare("SELECT * FROM users where id=?");



where the data is substituted by a variable called a "placeholder".



Note that the very same query is being sent to the server, but without any data in it! And then we're sending the data with the second request, totally separated from the query itself:



$db->execute($data);







We create the query, and then it is being sent without any user submitted data, instead the data is being replaced by a placeholder, the ?

Then we bind the parameters. We set the value of each paramenter like so:



s = string, i = integer in the order where they appear in both the query and the binding.

Basically, if you have a login box where you type in a password, the backend code would verify this password with something like: SELECT * FROM users WHERE password='hellomom';



However, with SQL injection i could type in fakepassword' OR 1=1, which would process: SELECT * FROM users WHERE password='fakepassword' OR 1=1';



It would think the user inputted "'" is actual SQL code. And since 1 always equals 1, the system could be bypassed.



The only way to stay safe is by escaping your inputs. For instance, mysql_escape_string()

SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.