Databases Reference
In-Depth Information
many of these applications compose such SQL statements by doing string
concatenation—concatenation of the fixed part of the SQL statement,
along with user-supplied data that forms WHERE predicates or additional
subqueries. The technique is based on malformed user-supplied data that
transforms the SQL statement from an innocent SQL call that the applica-
tion developer intended to a malicious call that can cause unauthorized
access, deletion of data, or theft of information. In all cases, SQL injection
as a technique is based on using bugs and vulnerabilities in the application
layer to perform an attack on the database or on the data.
SQL injection has received a lot of press and is usually considered to be
related to Web applications, but can be present in any application architec-
ture. The focus on Web applications is somewhat justified for two reasons.
The first is that Web applications are based on a three-tier architecture in
which the application server or Web server has a connection pool into the
database, and operations such as login are made at the application layer
rather than the database layer. In client-server systems the login to the
application is sometimes synonymous to the database login, and in this case
many of the SQL injection scenarios do not apply. The second and more
important reason is that Web applications cater to a broad range of users—
internal as well as external—meaning that the chance of a hacker trying to
exploit the application is much higher. However, as a technique, SQL injec-
tion is potentially available in any application, and you should not think of
this potential vulnerability in terms of Web forms only.
Finally, before we move on to look at the anatomy of SQL injection, a
word on how widespread this problem is. SQL injection deserves the press
it has been getting because it is a serious problem and is very common. In
an application security study performed by Sanctum between the years
2000 and 2003, they report that of the Web applications they tested, more
than 61% showed vulnerabilities to SQL injection attacks. Because SQL
injection often allows hackers to access arbitrary data, this is a
very
serious
issue. Let's move on and see how SQL injection is performed.
5.3.1
Anatomy of the vulnerability: Understanding
SQL injection
Most of the examples in this section use SQL Server syntax. This is arbi-
trary, and you should not get the impression that only SQL Server is sus-
ceptible to SQL injection attacks. All databases can be a target of SQL
injection and all are vulnerable to this technique. In fact, the reason is that
the vulnerability is not in the database at all; the vulnerability is in the
Search WWH ::
Custom Search