How Can A Hacker Steal Your Data Using SQL Injection? –Description and Remedies to It

Hackers can steal or delete your data on the data server using SQL injection for any malicious reason but for you it could be a real harm. Sometime in the severe cases where the security is weak, the hackers can break the code and the easily get the administrative privileges on the data server and leaving your web server or the database vulnerable to attack. Some of the content websites, blogging sites and even the E-commerce website are sensitive to SQL injection attacks.

Web Experts should implement an advanced programming standards and security to secure from the steal and loss of data by malicious hackers. Even Secured Socket Layer (SSL, a protocol used for transmitting private documents via Internet by cryptographic system) certificates do not make your data secure from SQL injection.

How hacking is done using SQL injection?

The most common database server Engines like SQL and MySQL use the SQL queries to insert, update, delete, merge, alter, drop, rollback, rename, truncate and others that can affect the records from the database schemas and tables. The SQL needs DML (Data Manipulation Language), DDL (Data Definition Language), DCL (Data Control Language) components to run and executes the queries on the data server and if the data server is hacked then by the use of these queries, hacker can create a real trouble. Few web Experts develop dynamic SQL codes for the websites by the use of HTML forms. Say for example, a web Expert may develop a ‘select’ query from the use of employees input to log in to site. The below code is an illustration for the ‘select’ query using SQL.

SELECT first_name,last_name,employee_id,department_id,salary,location, phone_number
FROM Employees
WHERE last_name=’Thomas’;

By the use of this query a hacker can get the most of the detail of this employee named ‘Thomas’. All of his confidential details can be hacked if the hacker hacks the privileges of an administrator. The hacker can easily update, delete and insert the data in the database. The above code was about the single employee but by the use of SQL injection the hacker can get retrieve all the records of the employee from the employee’s table or even from the schema. The SQL injection basically includes the strategic use of string characters (name and date characters) should to be enclosed with the apostrophe symbol, as they are format sensitive and the termination of a query is done with the use of semicolon.

Well the SQL injection permits the outside users to access and read the confidential details in the database of a system or an application. In a well developed and designed application only authorized users will be permitted to access the system and the selected data for the external users. But if we are talking about the poorly designed system it may allow the external users to peep the confidential information and details of the other authorized users.

Let’s identify by this test whether a website is vulnerable to SQL injection or not?

Now let’s do this simple test, if a web page takes the input in text form (say a username and password) then just try out the same with the string characters also like containing a single quote etc.If a website is vulnerable then it may behave oddly giving like input shown below. You can see the error message as shown here.

Here giving some simple procedure that can be helpful in hacking the data for ‘log-in’ scenario on a site with weak security. Here taking hacking the username and the password using the SQL query.

To retrieve the access and search for the username: Enter the string suppose with ‘OR’ (for username) ‘=’ (Password) mentioned on the log in site and this trial should logged you in as an authorized user (suppose Jake happens to be the first user in the table). This reveals you that Jake is a user and it allows you to access his account – but it does not tell you his password.

Now search out if Jake’s password contains any alphabet letter “w”: Now you can enter ‘xxx’ as user name and enter the below written string as the password:

‘ OR EXISTS(SELECT * FROM users WHERE name=’jake’ AND password LIKE ‘%w%’) AND”=’;

Now search out if Jake’s password has “w” as the third letter: Enter ‘xxx’ as user name and enter the below written code as the password:

‘ OR EXISTS(SELECT * FROM users WHERE name=’jake’ AND password LIKE ‘__w%’) AND ”=’;

Attack and Remedies for SQL injection

When the programmers or the developers who do the coding part of the page, if avoid the proper use of escape strings behind the SQL queries then there are the chances of malicious attacks.

Programs are built in SQL queries, so to accept and confirm the values. Say for ex. The SQL query will return a row if the mention username and the password exist in the table ‘users’. As shown here.

SELECT name FROM users WHERE name=’scott’ AND password=’tiger’

This value which has been mentioned in the above query has to be entered by the user. So the build the same query with the Perl programmer would be like this.

$sql = “SELECT name FROM users WHERE name=’$Q::name’ AND password=’$Q::password'”

A VB programmer might use the same query something like this:

sql = “SELECT name FROM users WHERE name='” & name & “‘ AND ‘” & password & “‘”

In both the above cases of Perl and VB, the SQL code generated will not be valid SQL query if the variable name may include a single quote.

If a sneaky user enters the code that results invalid SQL and it will show unexpected results.

Remedies: The remedy to attack would be simple escape single quote properly. You can even substitute the single quote with the double quotes.

So in Perl you could see this query as:

$sql = sprintf ‘SELECT name FROM users WHERE name=%s AND password=%s,

And in VB you could use the same query as:

sql = “SELECT name FROM users WHERE name='” & replace(name,”‘”,”””) & _
“‘ AND password='” & replace(password,”‘”,”””)

Protection against SQL Injections that may Affect Your Database and Websites

⇒ The ultimate security step against any malicious attack on your website is to store procedures. The database management utilities offer you to create the stored procedures for your host services.

⇒ Next protection step would be to replace the single apostrophe with the double apostrophes; this will help the database to translate the whole code to a literal apostrophe in the string.

⇒ You can make separate database user account for every website that runs on your server and then you can put the restricted access depending upon the privileges.

⇒ Avoid the use of dynamic SQL queries as some of the website has made the user input based on these dynamic SQL statements. Despite using dynamic statement you can create separate stored procedures with the input parameters.

⇒ Encryption is also the solution for the malicious attack. You can encrypt you sensitive or vulnerable data, if the hacker breaks you security access then also he has to go through the encrypted passwords. Any table or field that has vulnerable data should be implemented in addition to SSL encryption.

Steven Bowen

Steven Bowen is an ardent team member of No-refresh - Web to Print Design Tool Provider Company bestowed with professionalism in to develop fully-functional solutions. Having adroitness in this arena, he has served an array of blogs that are basically based on the technology advancement & improve the end users’ information level.