SQL Injection attacks

Monday, April 9, 2007

Some of you might have heard about SQL Injection attacks. SQL Injection attacks insert database commands into user input to modify commands sent from an application to a back-end database. Applications that employ user input in SQL queries can be vulnerable to SQL injection attacks.

Consider the following simplified C# source code, intended to determine whether an order number (stored in the variable Id and provided by the user) has shipped:

sqlString = “SELECT HasShipped FROM Orders WHERE OrderId = ‘“ + Id + “’”;
SqlCommand cmd = new SqlCommand(sqlString, Sql);
if ((int) cmd.ExecuteScalar() != 0) {
Status = “Yes”;
Status = “No”;

Legitimate users will submit an Order Id such as “123” and the code set the Status variable to Yes or No if the HasShipped value in the row with that ID number is true. However, a malicious attacker could submit a value such as “1234’ drop table customers—“. The preceding C# code would then construct the SQL query as

SELECT HasShipped FROM Orders WHERE OrderId = ‘1234’

drop table customers

Assuming the table named customers exist and the application had the right to drop tables, the table would be lost.


Post a Comment



2009 ·Techy Freak by TNB