sql injection notes

1. SQL in Web Pages =
2. [
3.     SQL Injection =
4.     [
5.     /* 1 - '105 1=1' injection exploit */
6.         /* Allow web users to input their own search values. */
7.         txtUserId   = getRequestString("UserId");
8.         txtSQL      = "SELECT * FROM Users WHERE UserId = " + txtUserId;
9.         /* This is valid, but can be exploited when the user types certain terms such as '105 or 1=1' into the search box. */
10.         /* Inputting those values can possibly return all information from the Users table inside the database. */
11.    
12.     /* 2 - '=' exploit */
13.         /* User log in example with a username and password text field. */
14.         uName   = getRequestString("UserName");
15.         uPass   = getRequestString("UserPass");
16.         sql     = "SELECT * FROM Users WHERE Name = '" + uName + "' AND Pass = '" + uPass + "'";
17.         /* A hacker might be able to put a '=' into one of the text boxes and gain access to the names and passwords in the db. */
18.         SELECT * FROM Users WHERE Name = "" or ""="" AND Pass ="" or ""=""; /* This is what the server receives. */
19.         /* This will return all usernames and passwords directly from the Users table in the db. */
20.        
21.     /* 3 - Batched SQL statements */
22.         /* Using the same input code as the first example, typing "105; DROP TABLE Suppliers" causes the SQL batched statement to run. */
23.         /* A batched statement is multiple statements in a single request. Statements are seperated by a ; */
24.         SELECT * FROM Users; DROP TABLE Suppliers; /* This code returns all rows of the Users table, then deletes the Suppliers table. */
25.     ]
26.     Preventing SQL Injection =
27.     [
28.         /* Using Blacklist of words is common practice for preventing attacks, but this will cause certain words not to be able to be used
29.             such as 'delete' or 'drop'. Better alternative is to use SQL parameters. */
30.         SQL Parameters =
31.         [   /* Definition: Values that are added to an SQL query at execution time, in a controlled manner. This is the only proven practice. */
32.         /* Example 1 */
33.             txtUserId   = getRequestString("UserId");
34.             txtSQL      = "SELECT * FROM Users WHERE UserId = @0";
35.             db.Execute(txtSQL, txtUserId);
36.             /* The @ symbol used tells SQL to treat the entire input as a variable, even if a command is specified */
37.             /* For example, the input can be "DROP TABLE Suppliers" and it will only search for that entire string as a variable. Nothing executes */
38.        
39.         /* Example 2 */
40.             /* This shows the submission of multiple variables using SQL Parameters */
41.             txtNam  = getRequestString("CustomerName"); /* CustomerName is a value from input textfield */
42.             txtAdd  = getRequestString("Address");      /* Address is a value from input textfield */
43.             txtCit  = getRequestString("City");         /* City is a value from input textfield */
44.             txtSQL  = "INSERT INTO Customers (CustomerName, Address, City) Values(@0, @1, @2)";
45.             db.Execute(txtSQL, txtNam, txtAdd, txtCit);
46.            
47.             /* PHP version of the example above. The ':' works the same way as the '@' in javascript. */
48.             $stmt = $dbh->prepare("INSERT INTO Customers (CustomerName, Address, City) Values (:nam, :add, :cit)");
49.             $stmt->bindParam(':nam', $txtNam); /* $txtNam is value from input textfield */
50.             $stmt->bindParam(':val', $txtAdd); /* $txtAdd is value from input textfield */
51.             $stmt->bindParam(':cit', $txtCit); /* $txtCit is value from input textfield */
52.             $stmt->execute();
53.         ]
54.     ]
55. ]