A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
Here is a basic HTML login form with two inputs:
<form method="post" action="/login"> <input name="username" type="text" id="username"> <input name="password" type="password" id="password"> </form>
The common way for the
/login to work is by building a database query. If the variables
$request.password are requested directly from the user’s input, this can be compromised.
SELECT id FROM Users WHERE username = '$request.username' AND password = '$request.password'
For example, if a user inserts
admin' or 1=1 -- as the username, he/she will bypass the login form without providing a valid username/password combination.
SELECT id FROM Users WHERE username = 'admin' or 1=1--
AND password = 'request.password'
The issue is that the
' in the
username closes out the
username field, then the
-- starts a SQL comment causing the database server to ignore the rest of the string. As the inputs of the web application are not sanitized, the query has been modified in a malicious way.