[Abstract]
This document discusses in detail the common 'SQL injection' technique, as it applies to
the popular Microsoft Internet Information Server/Active Server Pages/SQL Server
platform. It discusses the various ways in which SQL can be 'injected' into the application
and addresses some of the data validation and database lockdown issues that are related
to this class of attack.
The paper is intended to be read by both developers of web applications which
communicate with databases and by security professionals whose role includes auditing
these web applications.
[Introduction]
Structured Query Language ('SQL') is a textual language used to interact with relational
databases. There are many varieties of SQL; most dialects that are in common use at the
moment are loosely based around SQL-92, the most recent ANSI standard. The typical
unit of execution of SQL is the 'query', which is a collection of statements that typically
return a single 'result set'. SQL statements can modify the structure of databases (using
Data Definition Language statements, or 'DDL') and manipulate the contents of databases
(using Data Manipulation Language statements, or 'DML'). In this paper, we will be
specifically discussing Transact-SQL, the dialect of SQL used by Microsoft SQL Server.
SQL Injection occurs when an attacker is able to insert a series of SQL statements into a
'query' by manipulating data input into an application.
A typical SQL statement looks like this:
select id, forename, surname from authors
This statement will retrieve the 'id', 'forename' and 'surname' columns from the 'authors'
table, returning all rows in the table. The 'result set' could be restricted to a specific
'author' like this:
select id, forename, surname from authors where forename = 'john' and
surname = 'smith'
An important point to note here is that the string literals 'john' and 'smith' are delimited
with single quotes. Presuming that the 'forename' and 'surname' fields are being gathered
from user-supplied input, an attacker might be able to 'inject' some SQL into this query,
by inputting values into the application like this:
Forename: jo'hn
Surname: smith
The 'query string' becomes this:
select id, forename, surname from authors where forename = 'jo'hn' and
Page 3
我的内容管理
收起
我的收益 登录查看自己的收益
我的积分
登录查看自己的积分
我的C币
登录后查看C币余额
我的收藏 
我的下载 
下载帮助 
评论0