TECH-TADKA

                 As we seen in our previous topic that some of the way to prevent from the SQL injection.
If you have not  read yet then must read that first.... click here 

   Today, I am going to share some tips for PHP developer that how to make secure their site from the SQL injection. There are number of things are their to do, from that one of the things are as below:


Let, see the First one

Suppose, As below is your code:

<?php
 $result = mySql_query('select Text from pages where id=' . $_GET['id']);
echo($result);
?>



As shown in the above code it says that you are selecting the page content which is "Text"  from "pages" in the SQL database, and you are sorting out the right page content with $_GET[''id] and $_GET['id'] is the thing in url...

for e.g. :                http://www.example.com/index.php?id=123

As this code is easily injected by the some one, but if you can do this ...

<?php
$result = mySql_query('select Text from pages where id=' . mySql_real_escape_String($_GET['id']));
echo($result);
?>

Then you are 100 % secure.............. If  you like this post then please share this with your friends &  make aware them too from the SQL injection.

                            As we all know that today SQL Injection is the easiest way to hack someone's website or any companies website. Today mostly all hackers and script kiddles are using this ....

(1) Use the email-id instead of the user id always

(2) Never use default admin login page.

(3)  Make your Admin page became hidden from the others.

(4)  Social Engineering.

                       As in the Earlier post I had discuss that it is  the most commonly described attacks for all types of databases (including SQL Server, MySQL, PostgreSQL, and Oracle).   Let see the SQL MANIPULATION method in some detail with basic......

Note : SQL statements are used in this chapter to demonstrate the  SQL injection method. In order to be programming language neutral, only the developer intended and attacker manipulated SQL statements are presented.  The portions in blue, italics is a sample of what input the programmer is expecting and what an attacker might actually enter into a string field of the application. 

                       The most common type of SQL Injection attack is SQL manipulation.  The attacker attempts to modify  the existing SQL statement by adding elements to the WHERE clause or extending the SQL statement  with set operators like UNION, INTERSECT, or MINUS.  There are other possible variations, but these are the most significant examples.

Example : 

                   The classic SQL manipulation is during the login authentication.  A simplistic web application may check user authentication by executing the following query and checking to see if any rows were
returned –

SELECT * FROM users
WHERE username = 'bob' and PASSWORD = 'mypassword'  

The attacker attempts to manipulate the SQL statement to execute as –

SELECT * FROM users
WHERE username = 'bob' and PASSWORD = 'mypassword' or 'a' = 'a'  

Based on operator precedence, the WHERE clause is true for every row and the attacker has gained
access to the application.

The set operator UNION is frequently used in SQL injection attacks.  The goal is to manipulate a SQL
statement into returning rows from another table.  A web form may execute the following query to
return a list of available products –

SELECT product_name FROM all_products
WHERE product_name like '%Chairs%'


The attacker attempts to manipulate the SQL statement to execute as –

SELECT product_name FROM all_products
WHERE product_name like '%Chairs' 
UNION 
SELECT username FROM dba_users 
WHERE username like '%'

The list returned to the web form will include all the selected products, but also all the database users.




Also See : What is SQL Injection ?
                 SQL Injection category.

SQL injection attacks are simple in nature – an attacker passes string input to an application in hopes manipulating the SQL statement to his or her advantage.  The complexity of the attack involves exploiting a SQL statement that may be unknown to the attacker.  Open-source applications and commercial applications delivered with source code are more vulnerable since an attacker can find potentially vulnerable statements prior to an attack.

CATEGORIES OF SQL INJECTION ATTACKS

There are four main categories of SQL Injection attacks against Oracle databases –

1.  SQL Manipulation
2.  Code Injection
3.  Function Call Injection
4.  Buffer Overflows

The first two categories, SQL manipulation and code injection, should be well known to the reader, as
these are the most commonly described attacks for all types of databases (including SQL Server,
MySQL, PostgreSQL, and Oracle).

SQL manipulation typically involves modifying the SQL statement through set operations (e.g.,
UNION) or altering the WHERE clause to return a different result.  Many documented SQL injection
attacks are of this type.  The most well known attack is to modify the WHERE clause of the user
authentication statement so the WHERE clause always results in TRUE.

Code injection is when an attacker inserts new SQL statements or database commands into the SQL
statement.  The classic code injection attack is to append a SQL Server EXECUTE command to the
vulnerable SQL statement.  Code injection only works when multiple SQL statements per database
request are supported.  SQL Server and PostgreSQL have this capability and it is sometimes possible
to inject multiple SQL statements with Oracle.  Oracle code injection vulnerabilities involve the
dynamic execution of SQL in PL/SQL.

The last two categories are more specific attacks against Oracle databases and are not well known or
documented.  In the vast majority of our application audits, we have found applications vulnerable to
these two types of attacks.

Function call injection is the insertion of Oracle database functions or custom functions into a
vulnerable SQL statement.  These function calls can be used to make operating system calls or
manipulate data in the database.

SQL injection of buffer overflows is a subset of function call injection.  In several commercial and
open-source databases, vulnerabilities exist in a few database functions that may result in a buffer
overflow.  Patches are available for most of these vulnerabilities, but many production databases
remain un-patched.

WHAT’S VULNERABLE

An application is vulnerable to SQL injection for only one reason – end user string input is not properly
validated and is passed to a dynamic SQL statement without any such validation.  The string input is
usually passed directly to the SQL statement.  However, the user input may be stored in the database
and later passed to a dynamic SQL statement, referred to as a second-order SQL injection.  Because
of the stateless nature of many web applications, it is common to write data to the database or store it
using some other means between web pages.  This indirect type of attack is much more complex and
often requires in-depth knowledge of the application.

WHAT’S NOT VULNERABLE

SQL Statements using bind variables are generally protected from SQL Injection as the Oracle
database will use the value of the bind variable exclusively and not interpret the contents of the
variable in any way.  PL/SQL and JDBC allow for bind variables.  Bind variables should be extensively
used for both security and performance reasons.  

Also see : What is SQL injection ?

                      Most of the students asks me about the SQL injection, So here today I shall share some information about the SQL injection...This concept is to wide, here I show you the overview only.

                      Most application developers underestimate the risk of SQL injections attacks against applications that use Oracle as the back-end database.  Our audits of custom web applications show many application developers do not fully understand the risk of SQL injection attacks and simple techniques used to prevent such attacks.
                      This Blog is intended for application developers, database administrators, and application auditors to highlight the risk of SQL injection attacks and demonstrate why web applications may be vulnerable.  It is not intended to be a tutorial on executing SQL attacks and does not provide instructions on
executing these attacks.

SQL INJECTION OVERVIEW 

                      SQL injection is a basic attack used either to gain unauthorized access to a database or to retrieve information directly from the database.  The basic principles underlying SQL injection are simple and
these types of attacks are easy to execute and master.
                      Any program or application may be vulnerable to SQL injection including stored procedures executed with a direct database connection, Oracle Forms applications, web applications, etc.  Numerous SQL injection vulnerabilities have been found in the standard Oracle Database packages such as
DBMS_DATAPUMP, DBMS_REGISTRY, and DBMS_METADATA (see Oracle Critical Patch Update January 2006).  Web applications are at highest risk to attack since often an attacker can exploit SQL injection vulnerabilities remotely without any database or application authentication.
                     Web applications using Oracle as a back-end database are more vulnerable to SQL injection attacks than most application developers think.  Our application audits have found many web applications
vulnerable to SQL injection even though well-established coding standards were in place during
development of many of these applications.  Function-based SQL injection attacks are of most
concern, since these attacks do not require knowledge of the application and can be easily automated.


                     Fortunately, SQL injection attacks are easy to defend against with simple coding practices.  However, every parameter passed to every dynamic SQL statement must be validated or bind variables must be used.

SQL INJECTION: ORACLE VERSUS OTHER DATABASES 

                    Oracle generally fares well against SQL injection attacks as there is no multiple SQL statement support (SQL Server and PostgreSQL), no EXECUTE statement (SQL Server), and no INTO OUTFILE function (MySQL) – all methods frequently used to exploit SQL injection vulnerabilities.  In addition, the use of bind variables in Oracle environments for performance reasons provides the most effective protection
against SQL injection attacks.
                    Oracle may have fewer attack vectors for SQL injection than other databases, however, Oracle-based applications without proper defenses against these types of attacks can still be vulnerable and can be easily exploited through SQL injection vulnerabilities.