332 Chapter 14 ■ SQL Injection
SELECT * FROM items
WHERE owner = 'link'
AND itemname = 'name';
DELETE FROM items;--Many of the common database products such as Microsoft’s SQL Server and Oracle’s
Siebel allow several SQL statements separated by semicolons to be executed at once. This
technique, known as batch execution, allows an attacker to execute multiple arbitrary
commands against a database. In other databases, this technique will generate an error and
fail, so knowing the database you are attacking is essential.
If an attacker enters the string 'name'; DELETE FROM items; SELECT * FROM items
WHERE 'a' = 'a', the following three valid statements will be created:SELECT * FROM items
WHERE owner = 'link'
AND itemname = 'name';
DELETE FROM items;
SELECT * FROM items WHERE 'a' = 'a';A good way to prevent SQL injection attacks is to use input validation, which ensures
that only approved characters are accepted. Use whitelists, which dictate safe characters,
and blacklists, which dictate unsafe characters.Results of SQL Injection
What can be accomplished as a result of a SQL injection attack? Well, there are a huge
number of possibilities, which are limited only by the configuration of the system and the
skill of the attacker.
If an attack is successful, a host of problems could result. Consider the following a
sample of the potential outcomes:
■ Identity spoofing through manipulating databases to insert bogus or misleading infor-
mation such as e-mails and contact information.
■ Alteration of prices in e-commerce applications. In this attack, the intruder once again
alters data, but does so with the intention of changing price information in order to
purchase products or services at a reduced rate.
■ Alteration of data or outright replacement of data in existing databases with informa-
tion created by the attacker.
■ Escalation of privileges to increase the level of access an attacker has to the system, up
to and including full administrative access to the operating system.
■ Denial of service, performed by flooding the server with requests designed to over-
whelm the system.
■ Data extraction and disclosure of all data on the system through the manipulation of
the database.