How Attackers Can Get Your Database
An attacker can leverage this vulnerability and use it to one’s own advantage. For example, one can bypass an application’s authentication and authorization mechanism and retrieve so-called secure contents from the entire database. An SQL injection can be used to create, update, and delete records from the database. One can, therefore, formulate a query limited to one’s own imagination with SQL.
Typically, an application frequently fires SQL queries to the database for numerous purposes, be it for fetching certain records, creating reports, authenticating user, CRUD transactions, and so forth. The attacker simply needs to find an SQL input query within some application input form. The query prepared by the form then can be used to twine the malicious content so that, when the application fires the query, it carries the injected payload as well.
One of the ideal situations is when an application asks the user for input such as username or user id. The application opened up a vulnerable spot there. The SQL statement can be run unknowingly. An attacker takes advantage by injecting a payload that to be used as a part of the SQL query and processed by the database. For example, the server-side pseudo code for a POST operation for a login form may be:
pass = getRequestString("passwd");
stmtSQL = "SELECT * FROM users WHERE
user_name = '" + uname + "' AND passwd = '" + pass + "'";
database.execute(stmtSQL);
The preceding code is vulnerable to SQL injection attack because the input given to the SQL statement through the variable ‘uname’ and ‘pass’ can be manipulated in a manner that would alter the semantics of the statement.
,
For example, we can modify the query to run against the database server, as in MySQL.
user_name = '" + uname + "' AND passwd = '" + pass + "' OR 1=1";
This results in modifying the original SQL statement to a degree that enables one to bypasses authentication. This is a serious vulnerability and must be prevented from within the code.