What Could Possibly Go Wrong?

What Could Possibly Go Wrong?

Posted on December 13, 2016 nerdymind

Today, most websites use a combination of a programming language and an SQL database to store and retrieve their content, and the biggest risk with this type of setup is called an "SQL injection attack." This type of attack allows a person to manipulate the website's database queries in a way that sensitive information (such as usernames and passwords) can be exposed. Recently, Yahoo made international headlines because of an SQL injection attack that exposed over 450,000 usernames and passwords.

The reason these attacks are possible is that for a website to serve up customized or updateable content, it has to communicate with a database to get that content. Everything from blog posts and shopping carts to contact forms and content management systems can use an SQL database. When the website has to use user input to communicate with the database, it may be possible to manipulate what the website says to the database in order to force the database to give up its secrets.

For example, a typical web page with blog posts may have a URL like http://something.com/blog.php?id=1. In this example, the "id=1" portion of the URL tells the website that it needs to get the blog post with an ID of 1 out of the database. The website will then perform a database query that looks like:

select post from blog where id = 1

That's all well and good as long as the person viewing the page doesn't try to manipulate the query. However, if we change the URL to http://something.com/blog.php?id=1 or id=5, this will change the query to:

select post from blog where id = 1 or id=5

No big deal, right? The person viewing the page just changed the query a little bit and it might display a different blog post. Here's where things can go very, very wrong: If the user is a bit more savvy, they can retrieve information from other parts of the database using a "Union-based" attack. This type of attack allows someone to replace the information that the website is trying to retrieve (the blog post, in this case) with other information such as the names of other tables in the database, or usernames and passwords that are stored in other tables. 

The bad news is that if your website uses a database, you may be at risk. The good news is that it's relatively simple to protect your website against SQL injection attacks by "sanitizing" all user input before communicating with the database. This is done by "escaping" user input and surrounding it with quotes. Using our blog example in PHP, the query will look like:

$result = mysql_query("select post from blog where id = '" . mysql_real_escape_string($_REQUEST['id']) . "'");

...Which causes http://something.com/blog.php?id=1' or id='5 to run the following query: 

select post from blog where id = '1' or id='5'

...Which returns no results, as expected since there is no blog post matching that ID. Most programming languages have a function equivalent to mysql_real_escape_string() to help properly sanitize user input.

Of course, if this is all a bit too nerdy for you, and you would like for us to check if your website is protected against SQL injections, let us know!