Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sql


  • Please log in to reply
6 replies to this topic

#1 Commander Gman

Commander Gman

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 PM

Posted 01 March 2007 - 08:01 AM

Im not sure if i should place the topic here anyways pls.notify me if i need to change the location or if it should be here so anyways,back to the topic:I've been hearing this acronym lately when i was making a little website being hosted by some guy and havent found a good explanation,most of them i cant know what they're saying but what is SQL and SQL injection? i know theres this "attack" when it comes to SQL injection but im still not sure though what SQL attacks in those websites....
Any info will be apprieciated thanks! :thumbsup:

Edited by Commander Gman, 01 March 2007 - 09:37 PM.

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


BC AdBot (Login to Remove)

 


#2 Walkman

Walkman

  • Banned
  • 1,327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 01 March 2007 - 09:04 AM

My words............

This is just a basic touch on it. But if you want to learn more about this.... I would suggest you look around through search engines and read the topics, tips, and information you will need to protect yourself from such.

SQL Injection
Is a method used to inject, modify, or otherwise alter your database and (or) the contents of your web page.

If you were to be infected with a SQL injection, then the culprits could alter your database, which can, in fact, alter your web pages/site (if driven by the database).

Code can be injected into your database which can be used to take people to other locations instead of the intended ones when they get to your site. The code can project content that isn't yours....... on your site. The code can spoof a web site.... meaning... making it appear to be your site, but in fact it their site (the culprits).

Code can get injected on you when you fill in forms on web sites, just to see if you have a database that has passwords and usernames, or any other similar valuable information.

Code can be inserted in your web site, and reveal secured information from your database when the right combination of a query is injected into a form.

SQL = Structured Query Language. It's a way to instruct a database to do certain things if certain conditions are met, or simply do them just because I'm instructing you to do so.

On the other hand, someone can inject SQL injection onto you, and it can cause many problems on your computer... like, create files on your computer, which are unsuspected to you, even if you search for them. They can alter your computer itself because if you're running a localhost, server on your hard drive, then chances are you have a database server too. When getting infected/injected with this, it's just like saying you have a virus or such.

Basically, if you get injected with an SQL injection, then someone has access to your computer, website, database.

But there are ways to protect yourself from such attacks..... but you need to do some research because it's not a one person tell-all thing. There are quite a few ways you can be gotten by this injection. And if you're running databases on your server, then you need to know how to protect that data.... even if it isn't important data. It can get altered and (or) deleted.

Bottom line... if you know SQL very well, you can get any info you want from any SQL database. But like everything else in this world..... there are good things, but there are some that make it bad.

You're simply manipulating the input, in order to get the output you want.

There are ways to protect yourself... and do yourself a favor and look at other sites too. There are groups out there that are explaining this and how to protect yourself from such attacks.

#3 Commander Gman

Commander Gman
  • Topic Starter

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 PM

Posted 02 March 2007 - 02:36 AM

Code can be injected into your database which can be used to take people to other locations instead of the intended ones when they get to your site. The code can project content that isn't yours....... on your site. The code can spoof a web site.... meaning... making it appear to be your site, but in fact it their site (the culprits).


So this also means that there are phising sites?

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


#4 Walkman

Walkman

  • Banned
  • 1,327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 02 March 2007 - 03:16 PM

That's very well possible.

There are very many variables to that quote you quoted.

someone can come to your site, inject code into your database..... then leave your site..... someone else can come to your site, fill out a form or such, but get redirected to somewhere else....... all because the culprits have already injected the code into your database.

Trust me on this... there are more than one way to inject SQL injection onto you, but if your site is well setup, and your database is well configured,, meaning your php, mysql, or whatever you use, then you should be fine. Nothing is guaranteed, and nothing can keep you 100% safe, except the knowledge that you receive. You'll be 100% safe with knowledge.

And if I were you, I'd take the time to research this on many other sites.... and not just one site. Personally, I find that odd for a person to want to know about how people inject poison into others, but yet and still, don't want to read the medical information on it, just so you can reduce the chance of it being injected into you.

I'm encouraging you to do some research on this.... it's not going to take you your whole life time, ...but at the same time, it will better prepare you for your web site ventures.

If you're really concerned about this, don't wait until you become a victim. Go find out., and post back here what you've learned, so others can learn from you and your experiences in combating this. Do what you can to help yourself, and then take that to help others too.

Just think about it..... BleepingComputer is helping you right now.....

Go get'em tiger......... :thumbsup:

#5 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:09:29 AM

Posted 02 March 2007 - 07:49 PM

Ok, so now how about an answer from someone that actually works with relational databases.

SQL injection is the act of sending a database malformed instructions that allow an attacker to fingerprint a database with the hope of gaining administrator privileges, or stealing data. Incidentally, php is not a database, it is a scripting language. Anyway, sql injection can be prevented by simply sanitizing the input, and only giving the necessary grants to the users. A grant is a type of permission; a user can have "Select" grants, which only allows them to query the database, or they can have full grants, which allows them to do anything with the database that they want. Most of the time that is not a good idea.

At any rate, the act of sql injection comes from entering data into a form, or into a text window like this one. If a properly malformed query is put in as text, the database will return an error that may give some information about the database. Through trial and error, plus a bit of knowledge of what a relational database actually is, one can get a very good idea of information contained in the database. In addition, database software sometimes has chunks of code that can be manipulated through injection to give admin access to the database.

Sanitizing the input is pretty easy. There are many standard libraries that will do the dirty work for you. The reason SQL injection even exists is because people don't take the time to make sure that their code is correct, and that access is restricted.

Some of the effects of code injection can mean that an attacker can get administrative access to the database. If it is a database that is used for dynamic web content, it is possible that they would put their own code in that would take you away from the site that you think you are on. In practice, that rarely happens because if they are directing you to their server, it wouldn't be very difficult for law enforcement to figure out who attacked the database. It is much more common that data is simply stolen and used for whatever purpose.

The long and short is that if you are not using any sort of a database, then you have nothing to worry about. Should you want more information about SQL injection, one of the clearest guides I know is this one. It is lengthy, but it is thorough, and you will know way more about it than most people.

#6 Commander Gman

Commander Gman
  • Topic Starter

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 PM

Posted 02 March 2007 - 07:54 PM

Ok thanks,i've got all the info i need :thumbsup:

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,674 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 03 March 2007 - 12:59 AM

To further add to Groovicus' excellent answer, you should look at SQL injection as a technique a hacker can use to actually modify your intended SQL statements to achieve a different function or purpose.

Also SQL inject can not allow a hacker to access your file system directly. Its purely for database manipulation.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users