Provide an example of SQL Injection




A SQL injection attack is exactly what the name suggests – it is where a hacker tries to “inject” his harmful/malicious SQL code into someone else’s database, and force that database to run his SQL. This could potentially ruin their database tables, and even extract valuable or private information from their database tables. The idea behind SQL injection is to have the application under attack run SQL that it was never supposed to run. How do hackers do this? As always, it’s best to show this with examples that will act as a tutorial on SQL injection.

SQL Injection Example

In this tutorial on SQL injection, we present a few different examples of SQL injection attacks, along with how those attacks can be prevented. SQL injection attacks typically start with a hacker inputting his or her harmful/malicious code in a specific form field on a website. A website ‘form’, if you don’t already know, is something you have definitely used – like when you log into Facebook you are using a form to login, and a form input field can be any field on a form that asks for your information – whether it’s an email address or a password, these are all form fields.

For our example of SQL injection, we will use a hypothetical form which many people have probably dealt with before: the “email me my password” form, which many websites have in case one of their users forgets their password.




The way a typical “email me my password” form works is this: it takes the email address as an input from the user, and then the application does a search in the database for that email address. If the application does not find anything in the database for that particular email address, then it simply does not send out an email with a new password to anyone. However, if the application does successfully find that email address in its database, then it will send out an email to that email address with a new password, or whatever information is required to reset the password.

But, since we are talking about SQL injection, what would happen if a hacker was not trying to input a valid email address, but instead some harmful SQL code that he wants to run on someone else’s database to steal their information or ruin their data? Well, let’s explore that with an example, starting from how a hacker would typically get started in order to figure out a system works.

Starting the SQL Injection Process

The SQL that would retrieve the email address in the “email me my password” form would typically look something like this – keep in mind that this SQL really is embedded within a scripting language like PHP (it depends on what scripting language is being used by the application):

SELECT data 
          FROM table
              WHERE Emailinput = '$email_input';

This is, of course, a guess at what the SQL being run by the application would look like, because a hacker would not know this information since he does not have access to the application code. The “$email_input” variable is used to hold whatever text the user inputs into the email address form field.

Step 1: Figure out how the application handles bad inputs

Before a hacker can really start taking advantage of a weak or insecure application, he must figure out how the application handles a simple bad input first. Think of this initial step as the hacker “feeling out” his opponent before he releases the really bad SQL.

So, with that in mind, the first step a hacker would typically take is inputting an email address with a quote appended to the end into the email form field. We will of course explain why further down below. But for now, the input from the hacker would look something like this – pay special attention to the fact that there is a quote appended to the end of the email address:

hacker@programmerinterview.com'

If the hacker puts that exact text into the email address form field then there are basically 2 possibilities:

  • 1. The application will first “sanitize” the input by removing the extra quote at the end, because we will assume that the application considers email addresses with quotes as potentially malicious. But, a side note: email addresses can actually contain quotes according to IETF standards. Sanitizing data is the act of stripping out any characters that aren’t needed from the data that is supplied – in our case, the email address. Then, the application may run the sanitized input in the database query, and search for that particular email address in the database (without the quote of course).
  • 2. The application will not sanitize the input first, and will take the input from the hacker and immediately run it as part of the SQL. This is what the hacker is hoping would happen, and we will assume that this is what our hypothetical application is doing. This is also known as constructing the SQL literally, without sanitizing. What it means is that the SQL being run by the application would look like this – pay extra attention to the fact that there is now an extra quote at the end of the WHERE statement in the SQL below:
SELECT data 
      FROM table
         WHERE Emailinput = 'hacker@programmerinterview.com'';

Now, what would happen if the SQL above is executed by the application? Well, the SQL parser would see that there is an extra quote mark at the end, and it will abort with a syntax error.

The error response is key, and tells the hacker a lot




But, what will the hacker see on the actual form page when he tries to input this email address with a quote at the end? Well, it really depends on how the application is set up to handle errors in the database, but the key here is that the hacker will most likely not receive an error saying something like “This email address is unknown. Please register to create an account” – which is what the hacker would see if the application is actually sanitizing the input. Since we are assuming that the application is not sanitizing it’s input, the hacker would most likely see something like “Internal error” or “Database error” – and now the hacker also knows that the input to the database is not being sanitized . And if the application is not sanitizing it’s input then it means that the database can most probably be exploited, destroyed, and/or manipulated in some way that could be very bad for the application owner.

Step 2: Run the actual SQL injection attack

Now that the hacker now knows the database is vulnerable he can attack further to get some really good information. What could our hacker do? Well, if he’s been able to successfully figure out the layout of the table, he could just type this harmful code on the form field (where the email address would normally go):


     Y';
     UPDATE table
      SET email = 'hacker@ymail.com'
      WHERE email = 'joe@ymail.com';

Note that the SQL above is completely SQL compliant and legitimate. You can see that after the Y there is an extra quote followed by a semicolon, which allows the hacker to close the statement and then incredibly run another statement of his own!

Then, if this malicious code is run by the application under attack, it would look like this:

SELECT data 
          FROM table
              WHERE Emailinput = 'Y';
     UPDATE table
      SET email = 'hacker@ymail.com'
      WHERE email = 'joe@ymail.com';

Can you see what this code is doing? Well, it is resetting the email address that belongs to “joe@ymail.com” to “hacker@ymail.com”. This means that the hacker is now changing a user’s account so that it uses his own email address – hacker@ymail.com. This then means that the hacker can reset the password – and have it sent to his own email address! Now, he also has a login and a password to the application, but it is under someone else’s account.

In the example above, we did skip some steps that a hacker would have taken to figure out the table name and the table layout, because we wanted to keep this article relatively short. But, the idea is that SQL injection is a real threat, and taking measures to prevent it is extremely important.

Now, the question is how to prevent SQL injection attacks? Well, read on to the next page or just click here: SQL Injection Prevention.

Hiring? Job Hunting? Post a JOB or your RESUME on our JOB BOARD >>

Subscribe to our newsletter for more free interview questions.

  • Himanshu

    ‘OR”=’

  • akshay

    how to identify column name ..?

  • Matchendran

    Last quote and semicolon should be removed so that it will be executed properly

  • Sumati Nigam

    Y’;
    UPDATE table
    SET email = ‘hacker@ymail.com’
    WHERE email = ‘joe@ymail.com’;

    Remove the last single quote and semicolon ‘; to make it a valid SQL injection

  • Fahad (Eddie)

    Good Example.

  • Utsav Kumar

    lets suppose your friends email id is there in that application’s DB, so now u know his email id so u can use it right ?

  • seo

    Hello Web Admin, I noticed that your On-Page SEO is is missing a few factors, for one you do not use all three H tags in your post, also I notice that you are not using bold or italics properly in your SEO optimization. On-Page SEO means more now than ever since the new Google update: Panda. No longer are backlinks and simply pinging or sending out a RSS feed the key to getting Google PageRank or Alexa Rankings, You now NEED On-Page SEO. So what is good On-Page SEO?First your keyword must appear in the title.Then it must appear in the URL.You have to optimize your keyword and make sure that it has a nice keyword density of 3-5% in your article with relevant LSI (Latent Semantic Indexing). Then you should spread all H1,H2,H3 tags in your article.Your Keyword should appear in your first paragraph and in the last sentence of the page. You should have relevant usage of Bold and italics of your keyword.There should be one internal link to a page on your blog and you should have one image with an alt tag that has your keyword….wait there’s even more Now what if i told you there was a simple WordPress plugin that does all the On-Page SEO, and automatically for you? That’s right AUTOMATICALLY, just watch this 4minute video for more information at. Seo Plugin

  • guestname
  • ishan

    if anyone want free hosting go to http://www.hkimking.in phishing also allow there

  • aaa

    huu

  • anonymous

    good explanation. I already understand it by now. thanks.

  • zhaohua

    Actually the sql would look like following (note the last single quote) which is wrong sql format and will not be executed, right?

    SELECT data
    FROM table
    WHERE Emailinput = ‘Y’;
    UPDATE table
    SET email = ‘hacker@ymail.com’
    WHERE email = ‘joe@ymail.com’;’

  • BHS

    The single quote and the semicolon at the end of the sql injection code should be coded in black rather than red, since it is not a part of the attackers malicious code, but is something he is using from the actual query itself.

  • Mahesh

    Nice one. Conveyed what info i need.

  • df

    good job

  • Ram

    nice article

  • sandip

    i not understand .think.

  • Nice informative article. A detailed information about this attack can be found at http://www.techrecite.com/what-is-sql-injection-attack-explained-with-the-example/

  • jibran

    why u hvnt shown how to guess table name

  • Shivayan

    but how will the hacker get to know about the email id's present in the database,i.e which email id to hack?? if the email id specified in the where clause do not match with the one in the db,should it not throw an exception?

  • montu shriwas

    nice very helpful…..

  • SSS

    what steps that a hacker would have taken to figure out the table name and the table layout??????

  • anonymous

    very helpful

  • pranjal gupta

    very good article.