Introduction HDIV
SQL Injection
In this case the problem is based in a bad programming of the data access layer.
Example: We have a web page that requires user identification. The user must fill in a form with its username and password. This information is sent to the server to check if it is correct:
As we can see in the example, the executed sql is formed by concatenating directly the values typed by the user.
In a normal request where the expected values are sent the sql works correctly. But we can have a security problem if the sent values are the following ones:
In this case, the generated sql returns all the users of the table, without having typed any valid combination of username and password. As a result, if the program doesn't control the number of returned results, it might gain access to the private zone of the application without having permission for that.
The consequences of the exploitation of this vulnerability can be mitigated by limiting the database permissions of the user used by the application. For example, if the application user can delete rows in the table the consequences can be very severe.