top of page

SQL injection Attack

SQL injection is usually rated as the topmost dangerous attack in the hacking universe. This attack can be performed by taking the advantage of the poor sanitization of the input data. In this, hacker injects the system with unobvious SQL query to trick the interpreter in such a way that it becomes unable to filter the malicious query and the query gets executed. And thus the web application is exploited to get access into it or the data is extracted, depending upon the purpose of SQL injection attack to be performed. SQL injection is a server side attack as it involves exploiting the databases that reside at server end. The figure shows example of SQL injection attack for authentication bypass.


​Fig. SQL Injection Attack for simply bypassing the login authentication

Many of the times you see above form on login page. But have you ever thought how does this authenticate you? There is a SQL query written at the back end. That query can be as follows:


select first_name, last_name, address, ....

from user

where username = ' ' and password = ' '


Here first_name, Last_name, username, password are the columns of the table. And 'user' is the name of that table.


If you put valid username and password ( Ex. paragtailor and abc123 respectively), you will get authenticated. Your entered values are carried by SQL query as follows:


select first_name, last_name, address, ....

from user

where username = ' paragtailor ' and password = ' abc123 '


And it will display your information like first name, last name, address, etc.


But in above figure, we have inputted { ' or 1 = 1 - - } as a username. Now lets see what will happen at back end. The SQL query carring the entered values may look as follows:


select first_name, last_name, address, ....

from user

where username = ' ' or 1 = 1 - - ' and password = ' '


Here, the entered quote i.e. ( ' ) will act as ending quote by combining with pre-inside (starting) quote and will complete it. And no value is caaried by this pair of quotes. Thus this makes it wrong or more precisely false.


Also we have entered 1 = 1, which is always true. And a boolean operator OR tells that either one of the value should be true to get accepted. Hence we purposely make the first value as false and second value as true.


In the end we have used - -. This is nothing but commenting symbol used in Oracle or MsSql databases. That means anything comes after - - , will be discarded and will not be processed.


Thus the SQL query that goes to the database is as follows:


select first_name, last_name, address, ....

from user

where username = ' ' or 1 = 1 - -


And poor santitization in programming doesnot catch this injected code. Thus user gets logged in as a first user in the database. And many of the times the first user is nothing but the admin. Thus attacker can get the logged in as admin.


Note: - - is used for Oracle and MsSql while # is used for MySql for commenting.


bottom of page