My friends always ask me how you entered my site without even knowing the username and password for login. And I keep on telling that I am the biggest hacker on earth. But that is just a joke. The truth is, that most of the programmers miss a very basic concept while database handling. It is a pity that they are not aware of it. This mistake leads to SQL Injection...
SQL Injection
SQL Injection is caused when a user succeeds in injecting his/her code into the database through some SQL query. The easiest way to implement this is to find some textbox on the website (from where data is picked and some query is executed) and type a single quote ( ' ) in it. If it returns some error, that this site is vulnearable to SQL Injection. Now to perform SQL Injection, try the following statement in that text box...
' OR 1 = 1 --
See what it will do...
If you have two textboxes, one for username and one for password, and you write this line in username textbox, leaving the password blank (or putting some junk value in it), the query that the person is executing will be changed...
The original Query...
Select * from tblUsers where Username = '" & txtusername.text & "' and Password = '" & txtpassword.text & "'"
When this query will be replaced with your string from username textbox, it will become...
Select * from tblUsers where Username = '' OR 1 = 1 -- ' and Password = ''
Now as you know, that two hyphens -- are used to comment SQL query. So you actually end up in having a query with where clause equal to Username = '' OR 1 = 1. Since one statement has to be true, the other one (1=1) will always be true and this query will by default return the entire database.
Here programmers do another mistake by simply using the first record they find in the database. And in most of cases, I have found that first record belongs to the holy administrator, thus making you "god" of site.
REMEDY
If you want your site to be SQL-Injection safe, all you have to do is perform a very small step.
* Don't allow any text entered by user to get directly into queries *
Always take the text in some other variable first, and replace the single quote in it with two single quotes.
i.e.
Username = txtUsername.text.replace("'","''") ' For ASP.NET
Username = replace(request("TxtUsername"),"'","''") ' For ASP
This will change the above query to...
Select * from tblUsers where Username = ''' OR 1 = 1 -- ' and Password = ''
Hence, you will actually compare Username with a string ' OR 1 = 1 -- and the password field with blank (or some junk).
This particular replacement should be done on each and every page and not only on Login Page because if it is allowed in any other page, it will enable user to hack into your system and play with it.
How bad it can be
Hacker/Cracker can easily create a user and grant him all rights through SQL Injection. Once a user has been created on server, he can use Enterprise Manager or Query Analyzer to connect to your server. Now he can do whatever he wants.
He can also execute commands on your shell using the SQL server's shell command executer. From here, he can also delete any of your important file. All just from a single textbox, that was not handled properly.
So if you are a programmer, make a note that you never miss this thing again, and if you are a hacking aspirant, happy hacking (but don't do cracking)
