Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
64/,QMHFWLRQ
7+(:25/'
6/$5*(67:(%'(9(/23(56,7(
64/
64/,QMHFWLRQ
Previous
NextChapter
AnSQLInjectioncandestroyyourdatabase.
64/LQ:HE3DJHV
Inthepreviouschapters,youhavelearnedtoretrieve(andupdate)databasedata,
usingSQL.
WhenSQLisusedtodisplaydataonawebpage,itiscommontoletwebusersinput
theirownsearchvalues.
SinceSQLstatementsaretextonly,itiseasy,withalittlepieceofcomputercode,to
dynamicallychangeSQLstatementstoprovidetheuserwithselecteddata:
6HUYHU&RGH
Theexampleabove,createsaselectstatementbyaddingavariable(txtUserId)toa
selectstring.Thevariableisfetchedfromtheuserinput(Request)tothepage.
KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS
64/,QMHFWLRQ
TherestofthischapterdescribesthepotentialdangersofusinguserinputinSQL
statements.
64/,QMHFWLRQ
SQLinjectionisatechniquewheremalicioususerscaninjectSQLcommandsintoan
SQLstatement,viawebpageinput.
InjectedSQLcommandscanalterSQLstatementandcompromisethesecurityofaweb
application.
64/,QMHFWLRQ%DVHGRQ LV$OZD\V7UXH
Lookattheexampleabove,onemoretime.
Let'ssaythattheoriginalpurposeofthecodewastocreateanSQLstatementtoselect
auserwithagivenuserid.
Ifthereisnothingtopreventauserfromentering"wrong"input,theusercanenter
some"smart"inputlikethis:
UserId:
105or1=1
6HUYHU5HVXOW
TheSQLaboveisvalid.ItwillreturnallrowsfromthetableUsers,sinceWHERE1=1
isalwaystrue.
Doestheexampleaboveseemdangerous?WhatiftheUserstablecontainsnamesand
passwords?
TheSQLstatementaboveismuchthesameasthis:
KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS
64/,QMHFWLRQ
Asmarthackermightgetaccesstoalltheusernamesandpasswordsinadatabaseby
simplyinserting105or1=1intotheinputbox.
64/,QMHFWLRQ%DVHGRQ LV$OZD\V7UXH
Hereisacommonconstruction,usedtoverifyuserlogintoawebsite:
UserName:
Password:
6HUYHU&RGH
Asmarthackermightgetaccesstousernamesandpasswordsinadatabasebysimply
inserting"or""="intotheusernameorpasswordtextbox.
ThecodeattheserverwillcreateavalidSQLstatementlikethis:
5HVXOW
TheresultSQLisvalid.ItwillreturnallrowsfromthetableUsers,sinceWHERE""=""
KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS
64/,QMHFWLRQ
isalwaystrue.
64/,QMHFWLRQ%DVHGRQ%DWFKHG64/6WDWHPHQWV
MostdatabasessupportbatchedSQLstatement,separatedbysemicolon.
([DPSOH
TheSQLabovewillreturnallrowsintheUserstable,andthendeletethetablecalled
Suppliers.
Ifwehadthefollowingservercode:
6HUYHU&RGH
Andthefollowinginput:
Userid:
105DROPTABLESuppliers
ThecodeattheserverwouldcreateavalidSQLstatementlikethis:
5HVXOW
KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS
64/,QMHFWLRQ
3DUDPHWHUVIRU3URWHFWLRQ
Somewebdevelopersusea"blacklist"ofwordsorcharacterstosearchforinSQLinput,
topreventSQLinjectionattacks.
Thisisnotaverygoodidea.Manyofthesewords(likedeleteordrop)andcharacters
(likesemicolonsandquotationmarks),areusedincommonlanguage,andshouldbe
allowedinmanytypesofinput.
(InfactitshouldbeperfectlylegaltoinputanSQLstatementinadatabasefield.)
TheonlyprovenwaytoprotectawebsitefromSQLinjectionattacks,istouseSQL
parameters.
SQLparametersarevaluesthatareaddedtoanSQLqueryatexecutiontime,ina
controlledmanner.
$631(75D]RU([DPSOH
NotethatparametersarerepresentedintheSQLstatementbya@marker.
TheSQLenginecheckseachparametertoensurethatitiscorrectforitscolumnand
aretreatedliterally,andnotaspartoftheSQLtobeexecuted.
$QRWKHU([DPSOH
KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS
64/,QMHFWLRQ
YouhavejustlearnedtoavoidSQLinjection.Oneofthetopwebsite
vulnerabilities.
([DPSOHV
Thefollowingexamplesshowshowtobuildparameterizedqueriesinsomecommonweb
languages.
SELECTSTATEMENTINASP.NET:
INSERTINTOSTATEMENTINASP.NET:
INSERTINTOSTATEMENTINPHP:
KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS
64/,QMHFWLRQ
Previous
NextChapter
:6&+22/6(;$06
KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS
64/,QMHFWLRQ
HTML,CSS,JavaScript,PHP,jQuery,andXMLCertifications
&2/253,&.(5
6+$5(7+,63$*(
KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS
64/,QMHFWLRQ
REPORTERROR
PRINTPAGE
FORUM
ABOUT
7RS7XWRULDOV
HTMLTutorial
CSSTutorial
JavaScriptTutorial
SQLTutorial
PHPTutorial
jQueryTutorial
BootstrapTutorial
AngularTutorial
ASP.NETTutorial
XMLTutorial
7RS5HIHUHQFHV
HTMLReference
CSSReference
JavaScriptReference
BrowserStatistics
HTMLDOM
PHPReference
jQueryReference
HTMLColors
HTMLCharacterSets
XMLReference
7RS([DPSOHV
HTMLExamples
CSSExamples
JavaScriptExamples
HTMLDOMExamples
PHPExamples
jQueryExamples
XMLExamples
ASPExamples
SVGExamples
:HE&HUWLILFDWHV
HTMLCertificate
KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS
64/,QMHFWLRQ
HTML5Certificate
CSSCertificate
JavaScriptCertificate
jQueryCertificate
PHPCertificate
BootstrapCertificate
XMLCertificate
W3Schoolsisoptimizedforlearning,testing,andtraining.Examplesmightbesimplifiedtoimprovereading
andbasicunderstanding.Tutorials,references,andexamplesareconstantlyreviewedtoavoiderrors,butwe
cannotwarrantfullcorrectnessofallcontent.Whileusingthissite,youagreetohavereadandacceptedour
termsofuse,cookieandprivacypolicy.Copyright19992015byRefsnesData.AllRightsReserved.
KWWSZZZZVFKRROVFRPVTOVTOBLQMHFWLRQDVS