What is SQL Injection

Are you a student? Simply copy the text below.

SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution.

(from wikipedia). Stop here. Don’t copy me, or everything after this paragraph. Don’t be a dummy kiddo.

Nonsense Intro

Are you a wannabe hacker? Probably you are, because if you are a hacker, then there’s no point of you to read this nonsensical blabber of mine.

Probably, you have a hacker friend, and you have always heard from him that one way of hacking into someone’s website is through SQL Injection. And now, we have a question. What is SQL Injection?

Defining SQL and Database

First, let us define what is SQL and introduce to you the use of it for us to understand more the topic. SQL stands for “Structured Query Language” and it is a language used to retrieve data from a database. Just imagine database is a storage medium where all the vital information of a certain website including user authentication, blog posts, personal infos, credit card info, or any other vital (and probably sensitive) information relevant to a certain kind of system.

WordPress as an Example of a System and How it is being Related from a Database

Systems such as WordPress that I am using now to relay my blabbers to all of you uses database to store this blog post that you are reading. Also, in order to prevent anyone from posting and pretend to be me, a login page is needed, and when I log-in to that login page, my inputs will be verified across the information stored from the database. If my username and password matches from my actual username and password stored in the database, then it must be me, and therefore, wordpress will allow me to do the admin things like creating a post like the one I’m writing here.

Uhm. So Gab, what is SQL Injection then?

I said a lot. Basically, SQL Injection is a type of code injection, wherein you inject a partial SQL syntax with a typical malicious intent.

Let’s take a look on this SQL Query:

$sQuery = "SELECT COUNT(*) FROM `users` WHERE `username` = '$username' AND `password` = '$password'";

As a legitimate user, I logged in on this website using the following credentials:

Username: GhabXPH
Password: SomeSecurePassword9123

The backend will generate a query like this:

SELECT COUNT(*) FROM users WHERE username= 'GhabXPH' AND password = 'SomeSecurePassword9123'

Given that my username is GhabXPH and my password is SomeSecurePassword9123, the query will return 1. The backend validation checks whether the query is not zero.

// some codes above ....
// This code checks whether the count from the query returns 0 or not
if ($iCount !== 0) {
    // credential is valid. log the user in!!!
} else {
    // Invalid credentials

But then, a naughty hacker attempts to login in my website using the following credentials:

Username: GhabXPH’;–
Password: YouAreOwnedHueHueHue

Since our query is deliberately insecure (no filters or does not use parametized query), then our query will then look like this:

SELECT * FROM `users` WHERE `username` = 'GhabXPH';--' AND `password` = 'YouAreOwnedHueHueHue';

What the query does is it finds a username = GhabXPH. The password check is rendered useless because the malicious hacker closed the string literal using single quote character, ends the line with a semicolon (;), and ignores the rest of the query using comment/double dash (–).

Since the query above is valid, it will pass the validation check ($iCount is not zero), and thus, logs the user in as GhabXPH.

2 thoughts on “What is SQL Injection”

Leave a Reply

Your email address will not be published. Required fields are marked *