24-04-2010, 08:16 PM
Presented By:
BY:-
Nikita Dhurve
Bvcoew,Pune.
SQL INJECTION
SYNOPSIS:-
This paper contains information about extremely popular database attacks. Most of today's web applications require dynamic content and input from users which further are maintained in a database. This is achieved by using languages such as SQL the most common being mySQL.
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database recover the content of a given file present on the DBMS file system.
The attacker can gain unauthorized access to restricted data such as usernames /passwords/email addresses etc which is sucked by the web applications to perform some specific tasks. It attacks on the web application
(like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS.
CATEGORIES OF SQL INJECTION ATTACKS
Four main categories of SQL Injection attacks against Oracle databases “
1. SQL Manipulation
2. Code Injection
3. Function Call Injection
4. Buffer Overflows
AVOIDING SQL INJECTION VULNERABILITIES
The various techniques used to prevent SQL injections are:
1. Parameterized query
2. Stored procedure
3. Regular expression to discard input string
4. Quoteblock function
5. Do not show detailed error messages to the user.
6. Have a less privileged user/role of your application in database
AUTOMATED SQL INJECTION TOOLS
1.Wpoison is a tool that will find any strings potentially SQL Injection vulnerabilities in dynamic web documents.
2. mieliekoek.pl is an SQL Injection insertion crawler that will test all forms on a website for possible SQL injection problem.
3. SQLbf is a SQL Server Password Auditing tool. This tool should be used to audit the strength of Microsoft SQL Server passwords offline.
Conclusion:-
The purpose of this article is to make aware the people related to database
maintenance say DBA, Site owner, Computer science students working on database projects
and to general people who are launching their sites on internet.Through this article one can know that what are the breaches that can be secured either code or protection security like firewalls.