Web Programming Security: SQL Injection

SQL Injection is a way the web hackers taking advantages of the programming habit of the common web developers to gain access to the protected system. It will allow the hackers break into the Login/Password screen without even knowing the login name and/or the password.

In many web login pages, the typical user interface has a field called, say Login, and a fields called, say Password. When the users enter the login and the password, the program will check if this user is authenticated by running the SQL like:

Select * from Users Where Login = ’" & Login & "’ and Password = ’" & Password & """

If the record exists (not EOF), this person is authenticated. If not (EOF), not authenticated.

It looks correct, but from hacker’s eye, it is not. The hackers will be able to enter the system by filling the Login box with:

’ or 1 = 1 --

and leave blank to the Password.

It will effectively make the SQL statement become:

Select * from Users where Login = ’’ or 1 = 1 --’ and Password = ’’

This is effectively equal to

Select * from User Login = ’’ or 1 = 1

Since -- makes the statement after it irrelevant.

At this point, this hacker is authenticated. It is scary.

How to prevent this from happening ? First of all, check the input box to see if there is anything unusual, like symbol ’ or =. Secondly, make SQL statement harder to guess. For example, if you make a SQL statement check the User Name first. If the user exist then check the Password of that record against the password entered.

SQL1: Select * from Users where Login = ’" & Login & "’"

if SQL1 is not EOF then compare the Password from that record to the Password Entered.

SQL Injection can be applied to many places, not just Login Screen. The Hackers can alter the path of your program by predicting how you write the code and the SQL and "HiJack" your code to do the things they want to do. Please be careful.