Page 226 -
P. 226
SeCUrity GUiDe Theft by SQL Injection
In a site that is vulnerable to SQL injection, the following SELECT * FROM Users WHERE username=’JohnDoe001’ 225
SQL statement is sent to the Web site’s DBMS. AND password=’anything’ or 1=1 --’;
SELECT * FROM Users WHERE username= ’JohnDoe001’ The word “anything” will not match the correct pass-
AND password=’password1234’; word in the database, but because “or 1=1” was included
the resulting comparison will always be “true.” This is be-
If the username and password are both correct, you’ll be
allowed in. The “injection” part of SQL injection happens cause 1=1 is true, and only one side of the comparison
when you enter in unexpected text into that Web form. You needs to be true if “or” is included. This SQL statement will
enter text into the login form that changes the way the SQL enable you to bypass the login screen and gain access to the
statement is processed. system. Similar malformed SQL statements can be used to
Instead of entering a real username and password, put extract, add, or delete data. There is even software available
in a random username (in this case, we kept it JohnDoe001) that largely automates the SQL injection process.
and a malformed, but tricky, statement into the password SQL injection can be readily prevented. The particular
field (anything’ or 1=1 --). techniques are beyond the scope of this text, but they come
down to never writing computer programs to append user-
entered data to a SQL statement. Instead, the users’ data is
Username: JohnDoe001 passed to a program controlled by the DBMS that inspects
that user-entered data and then uses it without changing
Password: anything’ or 1=1 --
any SQL code. 5
Unfortunately, not all companies take the time to pro-
Note that the single quote (’) in the password changes the tect themselves from SQL injection. Sony Corp. lost more
SQL statement by enclosing the word “anything” and allow- than 100 million accounts to SQL injection attacks in 2011.
ing 1=1 to be included. (The double hyphen indicates the In 2014, two U.S. Navy systems administrators on a nucle-
rest of the SQL statement, which is not shown because it’s ar aircraft carrier used SQL injection to get the private data
not relevant to this guide.) of 220,000 sailors. They said they did it out of “boredom.”
DiSCUSSion QUeStionS
1. Why is data theft attractive to criminals? 6. If you were a senior manager at an organization that
2. How common is SQL injection? had serious losses due to SQL injection, what would you
3. How does SQL injection work? do about it?
4. What can an attacker do to a database using SQL 7. Suppose an organization not only prevents SQL injec-
i njection? tion from success but also tracks the identity of sites that
5. How can organizations prevent SQL injection attacks attempt such attacks. What should the organization do
from being successful? with that attack data?
