Welcome to this journey of understanding the concept of this famous vulnerability SQL Injection, we’ll try together to understand the basics and we’ll go step by step exploring it.
What’s a Web Application
Before going further, let’s first describe what’s a web application? A web application is an application that is accessed from a web browser, where the web browser will be the responsible for rendering the result coming from a web server.
Let’s take a simple example of this blog running under a WordPress CMS, you’re reading this article from a web browser (Google Chrome, Firefox, Internet Explorer…) installed on your computer, the article is stored somewhere on a database server plus an HTTP Server rendering a server-side scripting language.
What I describe here is the combined parts that form a web app, the first part is the presentation of the result (a Web browser), the logic part (a server-side programming language in this case PHP), and in the end the database or the storage part (MySQL, SQL, Oracle…).
The logic part and the storage part of a web app are interchangeably communicating, in general, the logic part ask for data using a language in a form of structured queries SQL(Structured Query Language) and the storage part has to give back the answer in a form of data.
These formed queries are set up to get input parameters from the client (your computer and a web browser) that are later passed to the database server if these inputs are not validated the queries will change their forms and logic. To summarise an SQL injection is an attack used to insert a non validated value into a dynamic formed query, where the attacker will be able to manipulate and execute statements on the database.
Let’s pretend that you access to a product page from an e-commerce website,
http://www.example.com/product.php?id=12 the URL includes one parameter is the
id plus a number
12 which leads to access the detail of a product using the id 12,
the developer presumes that the only type of value that has to be inserted into the parameter
id will be a number.
The formed and executed query, in this case, will be:
SELECT * FROM products WHERE id = 12
So to get to this result programmatically, the developer creates a dynamic string of the query that includes a value of
$_GET[id] from a user input, the selection of the data record from a table is based from this user input:
$query = "SELECT * FROM products WHERE id = '$_GET[id]'";
There is no validation for the
$_GET[id]attacker can insert any value instead of a number, as an example if the attacker adds a single quote
' to the value 12:
And by adding the single quote
' the attacker SQL statement will be passed to the database and executed:
SELECT * FROM products WHERE id = 12'
If there is a warning message after executing this query:
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource
Which means that the attacker is communicating with the database server even if he inserts nonvalidated values, and this is a short example of how an attacker test for the existence of an SQL Injection vulnerability.