User Tools
This is an old revision of the document!
SQL Injection
SQL(pronounced sequel) or Structured Query Language is a language that is used to access, modify, or insert data into a database. The backend of many modern web applications is an SQL-based database. While most applications won't let us directly access the database, assuming that the application is not filtering user input, we can give specific input designed to modify the SQL queries to do what we want. This technique is known as SQL Injection.
OR 1 = 1
One of the simplest forms of SQL Injection is the 'OR 1=1' injection. To give an example let's say an application has a feature that allows you to type in your username and in return, it shows you your password, (there are several security-based reasons a feature like this should not exist, but let's just say it does). The SQL statement that feature uses to retrieve the passwords may look something like this:
SELECT password FROM users WHERE username='$username';
Normally the user would input his or her name and $username would store that value making the statement look something like this:
SELECT password FROM users WHERE username='bob';
Now let's say I'm a hacker who wants to get the passwords of all the users in the system, but I'm not quite sure what their usernames are. As a hacker I could type in something like:
//Ignore the '/' as the wiki doesn't like when its not there OR '1' = /'1'
changing the query that retrieves the password to:
SELECT password FROM users WHERE username='' OR '1' = /'1';
Since 1 = 1 is always true, and any OR statement with a clause that is always true will also always be true, this statement will return every password in the database.
Batched SQL Statements
Another more powerful form of SQL Injection is using Batched SQL Statements. This allows us to write full SQL statements that are then executed by the server, rather than being limited to just modifying an existing statement.
