What is SQL Injection? Why Does It Occur?
What is SQL?
SQL (Structured Query Language)
It is an easy-to-use language used for similar operations in retrieving, deleting, and modifying data in databases.
Today, almost all web applications have database support in their infrastructure and these internet applications
They deal with the database on the SQL occasion.
When you leave a message on a site, it is saved in the database.
When that message is confirmed, a field in the database is updated.
The administrator deletes the record in the database so that the message is deleted from the site.
An example of a record deletion SQL statement can be as follows:;
DELETE from members where id = 17
When the above code is executed by the database, the record with id field 17 in the members table will be deleted.
This article will not address the comfortable details of the SQL language.
If you are weak about SQL, it will be difficult to understand the article.
I recommend that you first learn the basic commands of SQL and understand your database logic without continuing the article.
What is SQL Injection?
Dynamic SQL statements are created with data from the user for many treatments in Web applications.
For example, the SQL statement” SELECT * from members “will simply return all members from the database to the internet application.
Any meta-characters compressed together during the creation of these SQL sentences can result in SQL Injection.
What Is Meta-Character?
Meta-character is the name given to characters that have a special meaning for a program.
As soon as the Compiler or Interpreter sees this character, it handles the next character accordingly.
The dangerous result for SQL’ metacaracter (’) is single quotes'.
Because it is perceived as a string between two single quotes.
Another important meta-character (;) is a semicolon, indicating that the line ends and the new line begins.
Why does the SQL Injection vulnerability occur?
There are two important rules of protection from SQL Injection.
All meta-characters must be avoided,
The parameters that are expected numerically must be tested whether they are numeric or not.
Rule Number One;
All dynamically generated SQL statements must escape metadirectory characters successfully.
As an example of SQL Server applying the single quotation character ( ') ( ' ) should be replaced with two single quotes.
This allows SQL Server to understand that it has only one quotation character.
If the data that is expected for the SQL statement to be generated is numeric, it must be tested to see if it is numeric, and if it is not numeric, the application must not accept this data.
Once the anatomy of the attack is understood, the defense will be quite simple.
Testing whether all the dynamic data that supports creating the SQL statement before creating the SQL statement fits the expected data types.
Is the information expected to be numeric really numeric? As. Not necessarily escape Meta characters in String records
Create Parameterized SQL statements using Stored Procedure)
White listing is just the acceptance of the expected characters. For example, where a name is entered, punctuation is not accepted.
After White listing, meta-characters should be avoided again. Detailed methods of protection are not the subject of this series of articles.