In case anyone hasn’t been bashed over the head enough with SQL Injection strategies and mitigation, lets have a quick look at the simplest methods.
So lets assume that we want to log in to example.com and we have a login screen that takes a username and password. The very simplest injection could be to put the username admin’ — where admin is a valid username. What this does is close the quote early forĀ the username query and blocks anything further on the line by making it a comment.
This will work for the case where a query looka like:
SELECT * FROM users WHERE username='” & username & “‘ AND Password='” & encrypt(password) & “‘;
But where the password check is first, this would require a slightly different approach. Basically, this would mean that we would need to change the username field to something like this:
‘ OR username=’admin’; —
but this would required at least some knowledge of the back end. Html fields can be used trivially if there is no validation or filtering whatsoever and requires either the use of something like prepared statements or a little bit of validation.
Of the characters one needs to watch out for in SQL, there are only a few:
; — marks the end of an sql statement
‘ — marks the end of a field
— marks the beginig of a commenrt – this allows us to continue successfully.
There are ways however that we need to be aware of by using differences in utf8 sequences handling to pass data through filters. For example: by using invalid code points one utf8 handler may remove everything while another utf8 handler may only put a special character in the sequences place. This difference allows for filtering to be able to skip over certain characters in certain conditions and still allow processing.
