In this post, I'm going to examine attacks called SQL Injection attacks.

What is SQL Injection?

When it comes to SQL Injection, many web programmers and website administrators are afraid and think that they're dealing with a very complicated topic! So first of all I have to tell you that there is nothing to worry about. All you have to do is get rid of some bad habits and learn some new ones. In other words, we don't need any special operation and complex design, but we should write our queries in the appropriate format and based on the correct format so that they are completely safe. simply!

Unfortunately, although preventing SQL Injection is very simple, it is still one of the most common and important reasons for website hacking in the world. Part of the blame lies with webmasters who hire programmers who want lower salaries rather than those with more expertise. Another part of the blame lies with programmers who think that by learning programming commands, they will become programmers and do not make any effort to maintain the security of a website, instead they take their rights and quickly deliver the website. Try to be ethical and do not make and sell in your job.

Technically, SQL Injection is:

SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker)

But if I want to say in simpler language:

SQL Injection is an exploit of improperly formatted SQL queries. The root of this type of attack is the combination of code and data.

In fact, SQL queries are a program just like PHP scripts, but the difference is that we build this program dynamically and add things to it as we go (which is usually from the user's side). In such a situation, it is natural that some codes change the structure of our program or disrupt its execution. Such a situation occurs only when we have not formatted our query correctly.

The following image is one of the jokes of users and programmers regarding SQL Injection, which has been spread in cyberspace:

If you have a little familiarity with SQL Injection, you will understand the joke of this picture, but if you don't understand anything, that's okay. I want to make an example about SQL Injection based on this joke! To understand this joke, you should know that SQL Injection attacks occur from the user's side and with the user's data. For example, you want the user to give you some amount. For example, in a form you ask the user age or name, or in the login form you ask for a user account and password, or even in the comments, you ask users for their opinion. Now suppose one of our queries is as follows:

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

The programming logic in SQL is such that the expression 1=1 is always considered true. Now suppose we ask the user to give us a value (for example, username) and instead of typing that value, the user enters the expression 105 OR 1=1 in the form. In this case, our query will look like this:

SELECT * FROM Users WHERE UserId = 105 OR 1=1;

Do you see what happened? Based on the assumption that 1=1 is always correct, this query is also always correct and naturally it is always executed and returns all rows from the "users" table!!! Now, what if the users table had users' names and passwords or other important information? In this way, a beginner hacker can get all the information of your users!!

The same thing happened in the picture above and in the online form, instead of entering the student's name, the statement Bobby' DROP TABLE users was entered in the form. This statement will delete the users table and lose the information of all students! The following example is the same as the image above:

$name  = "Bobby';DROP TABLE users; -- ";
$query = "SELECT * FROM users WHERE name='$name'";

I have entered the name variable directly into the query, so this query turns into the following malicious code:

SELECT * FROM users WHERE name='Bobby';DROP TABLE users; -- '

Although this situation is called SQL Injection among programmers, its practical reality is an unformatted string. Our query does not have the correct structure and format, and this is the reason for deleting the entire table and this SQL Injection.

Let's go to another example:

$id    = "1; DROP TABLE users;"
$id    = mysqli_real_escape_string($link, $id);
$query = "SELECT * FROM users where id = $id";

In this example, we have asked the user to give us the ID or username and we have put it in the id variable. Then we have cleaned it using the mysqli_real_escape_string function and finally it has been executed. This query becomes the following safe query:

SELECT * FROM users WHERE id =1;DROP TABLE users; -- '

Although the above code does not cause any danger, the discussion here is not only about whether it is dangerous or not. Imagine a boy named Leo O'Hara and he wants to enroll in the school system. If we do not correct our query format, we will encounter the following code:

INSERT INTO users SET name='Leo O'Hara'

Because of the sign ' in this boy's family, we encounter a grammatical error.

[Hive: @albro]