1 / 11
Télécharger la présentation

SQL Injection Attacks: Methods, Prevention, and Security Improvements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 13 Security Methods Part 3

  2. SQL Injection Attack • Many web applications take user input from a form • Often this user input is used literally in the construction of a SQL query submitted to a database. For example: SELECT user FROM table WHERE name = ‘user_input’; • An SQL injection attack involves placing SQL statements in the user input Web Security

  3. Login Authentication Query • Standard query to authenticate users: select * from users where user='$usern' AND pwd='$password' • Classic SQL injection attacks • Server side code sets variables $username and $passwd from user input to web form • Variables passed to SQL query select * from users where user='$username' AND pwd='$passwd' • Special strings can be entered by attacker select * from users where user='M' OR '1=1' AND pwd='M' OR '1=1' • Result: access obtained without password Web Security

  4. Some improvements … • Query modify: • select user,pwd from users where user='$usern‘ • $usern=“M' OR '1=1”; • Result: the entire table • We can check: • only one tuple result • formal correctness of the result • $usern=“M' ; drop table user;”? Web Security

  5. SQL Injection Attacker • App sends form to user. • Attacker submits form with SQL exploit data. • Application builds string with exploit data. • Application sends SQL query to DB. • DB executes query, including exploit, sends data back to application. • Application returns data to user. ‘ or 1=1-- User Pass Firewall DB Server Web Server CIT 380: Securing Computer Systems

  6. SQL Injection in PHP $query = "select count(*) from users where username = '$username' and password = '$password'"; $result = @mysqli_query($dbc, $query); CIT 380: Securing Computer Systems

  7. SQL Injection Attack #1 Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access. CIT 380: Securing Computer Systems

  8. SQL Injection Attack #2 Database Modification Attack: password = foo’; delete from tableuserswhereusernamelike ‘% Database executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from tableuserswhereusernamelike ‘%’ CIT 380: Securing Computer Systems

  9. Preventing SQL Injection Attacks • mysqli_real_escape_string() • Prepared statements

  10. post_message.php • Script 13.6 on pages 444-5 • http://csweb.hh.nku.edu/csc301/frank/ch13/post_message.php • ch13\post_message.php

  11. Assignment #22 • http://csweb.hh.nku.edu/csc301/frank/bookorama/insert_bookPS.php

More Related