sql injection - when the statement is already in the db

Question

I am junior in sql and all the sql injection and i have some questions.

I have a website, its wrote in ASP.net c#.

1. Lets say i have HTML Editor and i get the HTML from the client and save it to the db. Now lets say someone try to do sql injection to me, what code he need to put in the HTML to create the sql injection (if its can be...not sure..)?

2. if he put an sql injection code to my db, and its in the db, i mean he save the html with the sql injection statement, when the code is load in the HTML EDITOR, its can do the sql statement?

   • when i say select statement i mean somthing like: select top 10 * from configoration where accountid=10

please advice me, i am a junior so be nice =]

Answer 1

SQL Injection is an issue if you're manually assembling your SQL statements by concatenating the predicate parameters with the rest of your SQL, then submitting that query to the DB. i.e.

String sql = "SELECT * FROM my_table WHERE id = '" + param_1 + "'";

If this is how you're assembling your query, then an injection attempt can be made to terminate that statement where the parameter is, then splice in other sql to query out data that was not intended.

You can prevent this by using bind variables (which is better anyway), or wrapping up your queries in stored procs.

i.e. in JDBC (C# is very similar):

String sql = "SELECT * FROM my_table WHERE id = ?"
PreparedStatement stmt = dbConn.prepareStatement(sql);
stmt.setString(1, myIDVal);

Answer 2

SQL injection will only happens when you try to query the database. If you are retrieving a file with sql injection code and nowhere in your query is user input, then you are fine. The only time you have to check for SQL Injection is when you query using the user's input ex. username, password, from textboxes, etc.

Answer 3

The fundamental concept of this kind of exploit is to find a way to terminate the sql statement intended to be executed by the developer and inject a following (malicious) statement.

If in your example, you use the value for the accountid parameter directly and without any validation from your pages query string, I could inject my malicious sql statement just like described i the comic linked in my comment.

Answer 4

What you're describing isn't really "SQL Injection", but really code injecton. You are concerned that a hacker could enter executable code (likely JavaScript) that would get executed when the content is rendered.

SQL injection is when a hacker formats input so that it redirects the back-end SQL statement to do something malicious. For example:

sql = "SELECT * FROM User WHERE ID = '" + ID + "' AND Password = '" + PASSWORD + "'"

if ID contained "' OR 1=1 -- " then you end up with the command:

SELECT * FROM User WHERE ID = '' OR 1=1 -- AND Password = ''

So all users are returned since the remaining SQL is effectively commented out

Using parameters protects you against SQL Injection - it does NOT protect you against code injection - that requires being extremely careful about rendering data in the HTML that could possible be executed. The safest way is to just HTML Encode the input so that data like <script> get turned into harmless <script> text. If you DO want to allow some HTML tags (like <strong>) but be safe from code injection, you will need to examine the test, looking for potentially dangerous tags and stripping them out as necessary.

Answer 5

there are many ways to do sql injections, and I would stick to a very basic example to better understand the concept behind it.

normally, you would need to watch the post requests and analyze the queries are being sent to the server. for example: if you want to hack a login page. I would do the follow SQL statement on the login form itself

select * from users where username='admin' and password='' OR '1'='1'

this statement can also be read this way:

select * from users where username='admin' and password='' OR TRUE.

with the query above I will be able to login to your system. I would also be able to change the query further to get a list of users in your database or even DROP the entire table.

Answer 6

Here's how SQL Injection works. Let's say you have a login page that asks for a username and a password. After you collect the username and password, you need to verify if the credentials are correct. To do that, this involves a call to the database. If Joe comes along and logs in, you're authentication SQL might look like this:

SELECT * FROM [Users] WHERE [UserName]='joe' AND [Password]='xyz123'

Looks good and works fine, correct? No!!!!!!!

Lets say Joe is an evil hacker. He wants to delete all the rows in your database table. Instead of typing in a username or password on the form, he types this:

UserName:   joe
Password:   '; DELETE FROM [Users]; --

Now when your SQL statement gets sent to the SQL Server, it looks like this:

SELECT * FROM [Users] WHERE [UserName]='joe' AND [Password]=''; DELETE FROM [Users]; --'

Guess what! Joe just deleted all your rows!!!!!

To prevent against this, any input that ultimately gets sent to the SQL server gets parameterized. By doing this, your strings are escaped and evil people like Joe will not destroy your life's work.