Hi,

SQL injection happens when an improperly validated data field can be used to inject SQL statement or exec commands into your dbms.

The validation can fail either at the client end (i.e. done poorly or none) or at the server end (ditto).

You can test your field to see if it is vulnerable to SQL injection by entering the following (e.g. for a login page) or their unicode/hex equivalents:

Name: '

Password: ' (usually shown as *)

If the field is not being validated then it will throw a SQL database error statement. Validation should exclude all unexpected characters e.g. '@{}[]<>|\/?%&^' etc . IOW only alpanumeric characters should be permitted. A combination of Javascript at the client end and stored procedures at the other end should do this.

The reason for validating at both ends is that it is possible to trap the GET or POST at the client side using a virtual proxy and alter the supposedly validated data stream before forwarding it to the server.

The other thing that you should do is ensure that the 'exec' commands are not available to the query running from the public web page (i.e. it should have minimal rights - if it's for query only for example, it should not have write or delete privileges, and not be sa)

The reason why SQL injection is important is that it can be used to enumerate the database and to alter its contents.

e.g once you have found out that SQL injection is possible, you could for example enter the following

Name:'or 1=1 -- {this is the format for Microsoft SQL and may not work on other platforms)
Password: 'or 1=1 --
If the SQL statement reads

select * from usernametable where uname = Name and passw = Password

This will translate as

select * from usernametable where uname = Name or 1 = 1 -- ...rest of statement ignored

Result, you will be logged in because you meet the condition of the statement.

Or you could enumerate the database e.g.

Name: 'group by uname --

This will throw an error telling you the next field in the database e.g. passw

Name: 'group by uname, passw --

This will throw an error telling you the next field e.g. CreditCardNo

Suddenly you have a database well worth breaking into...especially if you fancy some free jail time.

You can also type the variables by using the command

Name: 'Having ...

This causes the database to throw an error telling you the type and size of the variable.

Once you know this you can insert data into the table e.g

Name:' Insert into name, passw('tenzenryu', 'tenzenryuismypassword2')

and suddenly I am a legitimate user -well kind of .

or you can delete records, drop the table etc and generally vandalise

This isn't the only database security problem you can have (e.g. a common one is blank sa or default passwords) and I suggest getting training in secure database design and implementation as well as secure web and SQL coding.

R