SQL Injection Tutorial

SQL Injection is the manipulation of web based user input in order to gain direct access to a database or its functions. Read on through this SQL injection tutorial to understand how this popular attack vector is exploited.

The majority of modern web applications and sites use some form of dynamic content. This content can be in the form of articles, blog posts, comments, guest books, shopping carts, product lists, photo galleries, personal details, usernames, passwords the list goes on. Whether the web server is Apache on Linux or IIS on Windows, if its running a server side scripting language such as PHP, ASP, JSP, CFM it is likely there is a database in the background storing all this dynamic content.

SQL Injection involves bypassing the normal methods of accessing the database content and injecting SQL queries and statements directly to the database through the web application in order to steal, manipulate or delete the content. System access is even possible in many instances where the database is able to gain access to system resources, this can end up with entire system compromise and attackers in your network (not only stealing all your data).

Have you looked closely at the full URL of the websites you visit?

Notice the ?itemid=944 … this is a parameter that is sent via the web application to the database in order to retrieve the content you are looking at.

Through HTTP GET based SQL injection we can manipulate these parameters to send unintended statements into the Database. For example; Instead of retrieving article number 1, why don’t you show me article number 1 AND all the users and passwords in your database….

The online sql injection test from HackerTarget.com will test each parameter on the url for possible SQL injection using the excellent tool SQLmap. The only data obtained with this test if a vulnerable parameter is found is the database version. Sqlmap can also be used to show the results of much more devastating requests such as retrieving all the data / specific tables of data from the database or even the insertion of code execution commands and shells.

SQL Injection Vulnerabilities are also very prevalent in the form fields of web applications.

Form based sql injection is conceptually the same, the only difference being the rogue SQL statements are inserted via a POST request on the form submit rather than the HTTP GET parameter.

Username / Password forms are a well known point of attack. One type of attack allows the bypassing of the password part of the login.

This tells the database to not worry about the rest of the SQL query (the password part) and just perform the function of “if username = googleadmin and a=a –” (then give the user access to the system). Oops!



SQL Injection can also be used to attack other points of web applications, even cookie parameters – however HTTP GET and HTTP POST requests are the most common vectors.

So how can it be fixed?
It is simple in theory, not so easy in practice as can be seen by the on going attacks with SQL injection based compromises resulting in literally millions of database records lost.

All user editable points of input into a web application must have the input’s sanitised to prevent the execution of unauthorised SQL code. The OWASP site has some excellent information if you are looking for more detailed technical resources.

A History of SQL Injection Attacks

Click below for an introductory presentation to the history of SQL Injection attacks.