Can someone explain WHY SQL injection works?

[HyperShadow243]

I just finished realistic mission 2 but I don't really understand why these certain strings cause a password bypass. I understand that x==x but why does SQL take that statement as a code or script or whatever it does instead of taking it as literally "x==x". Like in C++ if you have (for a simple example):

int x = 10;
cout << x << endl; //This would print out 10 where as:

cout << "x" << endl; //Would print out the letter x. Why isn't this the case with this SQL injection?


Thanks.

[Skiddie Killer]

First result on Google for "SQL injection":
http://en.wikipedia.org/wiki/SQL_injection

[msbachman]

SQL injection works because quotes are used to block off strings. People can then add a quote or two to couple the standard input with something that always evaluates to be true via an 'OR'.

If that's not the sort of answer you're looking for then clarify what you mean by "why SQL injection works."

[Vulpine]

SQL injections have electrolytes.

[HyperShadow243]

SQL injection works because quotes are used to block off strings. People can then add a quote or two to couple the standard input with something that always evaluates to be true via an 'OR'.

If that's not the sort of answer you're looking for then clarify what you mean by "why SQL injection works."

Thank you. Exactly the answer I was looking for.

[ProdiGenius]

having just beaten realistic 2 yesterday, i was wondering the same thing- but the wiki post answers any questions i did have.

[tremor77]

Now to add an additional learning experience to this topic... post a method in which you as a website designer can help to prevent an SQL injection on your scripts. Don't repeat any of the previous methods posted.

I will start: This one is simple and not very effective, but it's a good practice - don't connect your database using root or a user with privileges any greater than needed.

[HyperShadow243]

I don't know what the syntax would be for SQL but thinking in C++ one way would be to only allow alphanumerical symbols. So if a quotation mark or exclamation point or -- was submitted, it would complain and not allow the user entry. At least that's what I thought of. I'm sure there are way better ways of stopping SQL injections than this though :/

On a side note though, why wouldn't the method you stated be effective?

[tremor77]

I don't know what the syntax would be for SQL but thinking in C++ one way would be to only allow alphanumerical symbols. So if a quotation mark or exclamation point or -- was submitted, it would complain and not allow the user entry. At least that's what I thought of. I'm sure there are way better ways of stopping SQL injections than this though :/

Absolutely, in PHP this may refer to htmlspecialchars, which can strip out special characters.. some people may opt to use a preg_match/replace routine as well.. this works well, unless your input requires usage of any special characters. The same can be done in ASP as well with similar functions.

On a side note though, why wouldn't the method you stated be effective?

The method I stated doesn't necessarily solve the problem of the creating the injection, by escaping the SQL statement with a ' or ", it only mitigates the possible damage that the injection can do by limiting the range of queries that can be passed. Stopping the injection attempt would be the ultimate goal of the web designer.

[HyperShadow243]

Oh. Wow. Thank you very much for explaining tremor. All this information that I've learned from this website has got me kinda worried about just how safe everything is. I made a quick little console app with a password that would display two outcomes: Welcome or Get out. After completing application mission 3, I tried to bypass the password in my console app and well...it was as easy as looking through the hex...Hopefully I'll learn some ways on how to make code more secure

Thanks for taking the time to explain this to me tremor.


EDIT: Just got up to app 5 so guess I'll be learning the answer to my last question soon enough haha