A quick look at the Open Web Application Security Project (OWASP) web site will tell you that the number one vulnerability to web applications is “Injection”.  This means that an attacker is able to literally inject some piece of code or data into the target website. In the majority of cases, this is an application programming problem. The developer either used an API that did not properly check its inputs or used user input without properly sanitizing that input. A classic example of this is the SQL injection. SQL (Simple Query Language) for databases is widely used and, if improperly integrated into to a website, is easy to exploit. 

Example SQL Query Injection

This SQL query will return the password, login and full name for the email address provided by the user. 

SELECT passwd, login_id, full_name<= Fields to return from query

FROM members<= Table to search

WHERE email = ‘$USER_INPUT@EMAIL_ADDRESS`;<= What to search for

Suppose the user enters something other than an email address such as:

USER_INPUT => “ x'; DROP TABLE members; -- “

SELECT passwd, login_id, full_name<= Fields to return from query

FROM members<= Table to search

WHERE email = ‘x'; DROP TABLE members; --`;<= Extra commands

The first part of the user input “x’;” terminates the original SQL query searching on “x” as the email address. The second part “DROP TABLE members; --”  will delete members database! 

While this is an extreme and simple example, it demonstrates the ease and power of an injection attack. To prevent this, all input from the user must be checked for the special characters such as the single quote, semicolon and other characters which have special meanings in SQL. These characters must either be removed from the input or escaped. Escaping the characters leaves them in the user input but prevents them from being recognized by the SQL server. How the characters are escaped depends on the programing language being used.

Originally written for DrupalConnect and posted here.