SQL Injection
What is SQL Injection?
SQL Injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It typically allows an attacker to view data that they are not normally able to retrieve, such as other users' data, or to perform other malicious actions on the database.
Types of SQL Injection
There are several types of SQL Injection attacks, including:
- In-band SQL Injection: The attacker uses the same communication channel to both launch the attack and retrieve the results.
- Inferential (Blind) SQL Injection: The attacker sends data to the server and observes the response, but does not directly see the data returned.
- Out-of-band SQL Injection: The attacker uses a different channel to launch the attack and retrieve the results.
Examples of SQL Injection
Here are some examples of SQL Injection vulnerabilities:
<!-- Basic SQL Injection Example -->
<form action="login.php" method="post">
<input type="text" name="username" placeholder="Username">
<input type="password" name="password" placeholder="Password">
<input type="submit" value="Login">
</form>
<!-- Vulnerable code -->
<?php
$query = "SELECT * FROM users WHERE username = '".$_POST['username']."' AND password = '".$_POST['password']."'";
$result = mysqli_query($connection, $query);
<?>
<!-- Malicious input: -->
Username: admin' --
Password: [anything]
<!-- Union-based SQL Injection Example -->
<form action="search.php" method="get">
<input type="text" name="search" placeholder="Search">
<input type="submit" value="Search">
</form>
<!-- Vulnerable code -->
<?php
$query = "SELECT * FROM products WHERE name LIKE '%".$_GET['search']."%'";
$result = mysqli_query($connection, $query);
<?>
<!-- Malicious input: -->
search: ' UNION SELECT username, password FROM users --