I was listing to a Security Now pod cast on the long drive home. The topic was SQL injection threats. It was the first time I heard about it but it is cleariy something I need to consider on our webpages that take user input.

Basically what it is that a portion of a SQL statement is used for user input. A simple example would be a log in form that askes for a user name and password. Let’s say that those two fields are used to see if there is a matching recording in a login MySQL database. The SQL statment might be something like this using a form input:

Here is a sample basic HTML form with two inputs, login and password.

<form method=”post” action=”http://mywebiste.com/login.php”>
<input name=”UserName” type=”text” id=”UserName”>
<input name=”UserPass” type=”password” id=”UserPass”>
</form>

If for the user name they enter “Bill” and for the password something like this: ‘anything’ OR ‘x’='x’

The SQL statement might make this check

SELECT FROM * WHERE UserName=Bill AND UserPass = anything OR ‘x’='x’;

By using a SQL command in the data filed the query is changed in a way never expected.

On some SQL servers such as MS SQL Server any valid SQL command may be injected via this method, including the execution of multiple statements. The following value of “UserName” in the statement below would cause the deletion of the “users” table as well as the selection of all data from the “data” table (in essence revealing the information of every user):

a‘;DROP TABLE users; SELECT * FROM data WHERE name LIKE ‘;

There is no patch on a MySQL database or any firewall that will stop this type of attach. What is needed is a check of the data. I will write more about that after dong some additional research.