Understanding One of the Most Common Hacks

Not everyone has to be an expert coder to run a website, but improperly coded web pages can lead to disastrous effects.

SQL injection hacks take advantage of poorly coded sites, and they are at the heart of major website penetration occurrences. Even big companies fall victim to SQL injection, and they usually allow the hacker to steal sensitive data such as credit card information and social security numbers.

SQL injection is a complicated subject, but you can protect your site more efficiently if you understand the basic way hackers manipulate your sites to give them access.

The simplest way to understand SQL injection is using website form submissions. This article will use the example of a form that retrieves a user's user name and password, sends it to the database and displays results.

These forms are not only common on most websites, but they are also common targets for SQL injection hackers to gain access to user passwords.

Your Login Form

Using simple HTML, the following text represents the code needed to create a basic login form:

<form method="post" action="login.php"> 
<input type="text" id="username"> <br />
<input type="text" id="password"> 
</form> 

In this example, the "login.php" file submits the form input to your database. This file contains the SQL code used to retrieve user information provided that the input is correct. Most PHP programmers use inline SQL, which means the SQL statement is built using PHP strings.

For example, the following is a simple SQL statement that uses form input to log in:

Select * from Users where username='<form username>' and password='<form password>' 

If the user enters the wrong information for any of these values, the SQL statement returns no records. However, the SQL statement can be manipulated by using SQL code in the form input fields.

It's this manipulation that gives hackers access to user information.

SQL Injection Using Form Input

Using the SQL statement above, what happens when you eliminate the "password" parameter? If you understand SQL, you'll notice that eliminating the password parameter retrieves all information about the submitted user. In other words, the code turns into the following SQL statement:

Select * from Users where username='<form username>' 

The above SQL statement is what hackers try to execute using SQL injection. Hackers can perform the injection using your unsecured form submission page by building an alternate SQL statement. The hacker uses the following input in your login form:

Administrator' -- 

The "--" characters comment out any code that follows. Using the above input, it turns your original SQL statement to the following:

Select * from Users where username='administrator'-- and password='' 

Since the "--" characters comment out code, the password parameter is never used. The result is a SQL statement that returns all information about the administrator including the password. The hacker retrieves the administrator's password and can now log in to your website using elevated permissions.

SQL injection and security are complicated topics, but you can take small precautions to protect your site. The PHP language has escape functions that stop special SQL characters from being used in submitted statements.

You can also use stored procedures, which are small functions stored on the server that do not allow execution of special characters.

If you are unsure of your site's security, we can review your site. We can also offer SQL injection scanning that will check for basic security flaws.

In addition, this example shows the importance of encrypting your users' passwords. If passwords are encrypted, the hacker cannot gain access even if the injection is successful.