Databases Reference
In-Depth Information
DB2:
DBA2191E SQL execution error.
A database manager error occurred. :
[IBM][CLI Driver][DB2/NT] SQL0421N The operands of a set
operator or a VALUES clause do not have the same number of
columns. SQLSTATE=42826
MySQL:
ERROR 1222: The used SELECT statements have a different number
of columns
As you see, the database will always respond with an error. If you closely
monitor all SQL errors coming back from the database, you will almost
always be able to identify SQL injection attacks. The key reason why this is
different from looking at the SQL coming into the database is that a pro-
duction application will usually have had its quirks removed in the testing
process and should not be generating a whole lot of SQL errors in normal
operation (and if it is, there is always a good time to fix the problems creat-
ing these errors, separately from dealing with SQL injection as a topic).
Some SQL errors you should look for in identifying SQL injection
include the following:
Errors on the number of columns in SELECT (usually within
UNION)
Errors caused by unclosed quotation mark
Errors caused by conversions of data; type mismatch between data
and column definitions
Before moving into the third and last monitoring category, I would like
to show you an advanced SQL injection technique that you should be
aware of—a technique that is related to SQL errors. SQL errors that are
reported all the way back to the application user and presented on the
screen as an error message are considered to be a bad practice, because such
error messages provide a lot of useful information to good hackers and actu-
ally help them break into the database. For example, if I keep getting an
All
queries in a SQL statement containing a UNION operator must have
an equal number of expressions in their target lists
error, then I
know my SQL injection has failed, but I also know that if I change my
injected string to add more columns, I will probably eventually succeed.
Luckily, many application environments will shield the end user from data-
Search WWH ::
Custom Search