SQL Injections

An SQL injection allows an attacker to run arbitrary SQL code in the database which may allow him to retrieve, change or delete data from the database.

Security Assessment

Security_Assessment_SQLInjection

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Vulnerability Information

An SQL injection allows an attacker to run arbitrary SQL code in the database which may allow him to retrieve, change or delete data from the database. In some cases even the total control of the server which runs the database is possible.

SQL Injection Webinar

Below you can find a video that shows our webinar for SQL Injection. We explain the differences between manual and automated testing and show an open-source tool to check for SQL Injections.

Guides

To prevent SQL injection attacks treat all user input as potentially malicious and follow some programming guidelines:

Filter User Input

For an attacker to successfully execute an SQL injection, he needs to plant some code that is run by the web application's database. Therefore all user input should be validated first and limited to the needed characters. E.g. you may ask a user to input a username, password and e-mail address in a registration form. You can limit the allowed characters of these input fields to characters that do not interfere with the database. The following example filters out user input for the three values in PHP:

sql_injection_1

https://github.com/crashtest-security/gist/blob/master/injection/filter_user_input

Database Mappers

Most modern web frameworks provide some abstraction of the database handling. E.g. Laravel provides Eloquent queries. Created objects are automatically converted and stored or retrieved from the database. In the example of the user registration form, one could create the user object in the following way:

sql_injection_2

https://github.com/crashtest-security/gist/blob/master/injection/db_mappers

The resulting SQL statement is automatically sanitized and will prevent SQL injections.

Sanitize User Input / Prepared Statements

It may not always be possible to use a database mapper. In these cases use prepared statements to create your SQL queries. These form of statements validate and sanitize the user provided values and therefore prevent SQL injections. E.g. in PHP you can create a prepared statement the following way:

sql_injection_3 (1)

https://github.com/crashtest-security/gist/blob/master/injection/prepared_statements

For more information about Crashtest Security visit crashtest-security.com or go to our SQL Injection Page!