What is SQL Injection and how to fix it

1. Introduction

In this article, we learn about SQL injection security vulnerability in web

application. We see an example of SQL Injection, learn in in-depth how it

works, and see how we can fix this vulnerability. We use PHP and MySQL for

the examples. The SQL injection is the top exploit used by hackers and is one

of the top attacks enlisted by the OWASP community.

2. What is SQL Injection

SQL Injection is a attack mostly performed on web applications. In SQL

Injection, attacker injects portion of malicious SQL through some input

interfaces like web forms. These injected statements goes to the database
server behind a web application and may do unwanted actions like providing

access to unauthorised person or deleting or reading sensitive information.

The SQL Injection vulnerability may affect any application powered by

database supporting SQL like Oracle, MySQL and others.

SQL Injection attacks are one of the widest used, oldest, and very dangerous application
vulnerabilities. The OWASP organization (Open Web Application Security Project) lists SQL
Injections in their OWASP Top 10 document as the top threat to web application security.

3. Example of SQL Injection

Let’s create a form in HTML:

1. <!DOCTYPE html>
2. <html>
3. <body>
4. <h2>SQL injection in web applications</h2>
5. <form action="/form-handler.php">
6. Username:<br>
7. <input type="text" name="username" value="">
8. <br>
9. Password:<br>
10. <input type="password" name="password" value="">
11. <br><br>
12. <input type="submit" value="Submit">
13. </form>
14. </body>
15. </html>

When we click on submit, the form above submits to below PHP script:

1. <?php

2.
3. mysql_connect('localhost', 'root', 'root');
 4. mysql_select_db('bootsity');

5.
6. $username = $_POST["username"];
7. $password = $_POST["password"];
8. $query = "SELECT * FROM Users WHERE username = " . $username
. " AND password =" . $password;
9.
10. $re = mysql_query($query);

11.
12. if (mysql_num_rows($re) == 0) {
13. echo 'Not Logged In';
14. } else {
15. echo 'Logged In';
16. }
17. ?>

4. How SQL Injection works

In the above example, assume that the user fills up the form as below:

1. Username: ' or '1'='1

2. Password: ' or '1'='1

Now our $query becomes:

SELECT * FROM Users WHERE username='' or '1'='1' AND password='' or

'1'='1';

This query always returns some rows and results in printing Logged In on the

browser. So, here the attacker doesn’t know any username or password that

are register in the database, but the attacker is still able to log in.

5. Fixing SQL Injection

Now we understand how SQL injection works in PHP. Generally, the best

solution is to use prepared statements and parameterized queries. When we

use prepared statements and parameterized queries, the SQL statements are

parsed separately by the database engine. Let us see these approaches

below:

5.1 Using PDO

We can change our form-handler.php to use PDO:

1. <?php

2.
3. $dsn = "mysql:host=localhost;dbname=bootsity";
4. $user = "root";
5. $passwd = "root";

6.
7. $pdo = new PDO($dsn, $user, $passwd);

8.
9. $username = $_POST["username"];
10. $password = $_POST["password"];

11.
12. $stmt = $pdo->prepare('SELECT * FROM Users WHERE username =
:username AND password = :password');
13.
14. $stmt->bindParam(':username', $username);
15. $stmt->bindParam(':password', $password);

16.
17. $stmt->execute();

18.
19. if (count($stmt) == 0) {
20. echo 'Not Logged In';
21. } else {
22. echo 'Logged In';
23. }

24.
25. $stmt->close();
26. $pdo->close();
27. ?>
5.2 Using MySQLi (Only for MySQL)

We can also use MySQLi in our form-handler.php to fix the SQL Injection

issue:

1. <?php
2. $servername = "localhost";
3. $username = "root";
4. $password = "root";
5. $dbname = "bootsity";
6.
7. // Create connection
8. $conn = new mysqli($servername, $username, $password, $dbname);

9.
10. $username = $_POST["username"];
11. $password = $_POST["password"];

12.
13. // prepare and bind
14. $stmt = $conn->prepare('SELECT * FROM Users WHERE username = ?
AND password = ?');
15. $stmt->bind_param($username, $password);

16.
17. $stmt->execute();

18.
19. if (count($stmt) == 0) {
20. echo 'Not Logged In';
21. } else {
22. echo 'Logged In';
23. }

24.
25. $stmt->close();
26. $conn->close();
27. ?>

6. More notes on SQL Injection

We saw one way of SQL injection. There can be other ways, as well. It

mostly depends on the creativity of the attacker. One other method that may

lead to more severe implications is:

Assume the example code:

1. $username = getRequestString("UserId");
2. $query = "SELECT * FROM Users WHERE username = " + $username;

If the end user passes the value 1; DROP TABLE profiles;

Then $query becomes SELECT * FROM Users WHERE username = 1; DROP TABLE
profiles;

That is why, in our applications, we should use connections having required

permissions.

7. Conclusion

In this article, we learned what SQL Injection is and how we can avoid

loopholes in our web applications that may result in SQL injections attacks.

In the upcoming articles, we will learn more about other security

vulnerabilities in web applications. The complete code example that we used

is available on Github for your practice. If you have any queries, or you want

to share more things related to SQL Injection, you may share in the

comments below. Cheers to you.