9 Replies - 419 Views - Last Post: 09 June 2014 - 11:30 AM Rate Topic: -----

#1 Logik22  Icon User is offline

  • D.I.C Head

Reputation: 10
  • View blog
  • Posts: 164
  • Joined: 12-December 11

How do SQL injections work?

Posted 04 June 2014 - 06:09 PM

I'm making a basic PHP site that is just a form and a table that displays the results entered in the form. I understand the gist of SQL injections. I know how the user can enter text to close your query and begin a new query to drop a table, add a user, etc. I also know what you can do to minimize your risk (limited user permissions, prepared statements, input sanitizing, etc). What I don't understand is how would they be able to find out the table and field names.

For example, lets say one of my fields is to accept data like a product name or something along those lines. The user may be able to close that query and then do something like "DROP TABLE user_names". How would the user even begin to find out the name of the table or field so they at least know what to refer to in their SQL injection?

Is This A Good Question/Topic? 0
  • +

Replies To: How do SQL injections work?

#2 macosxnerd101  Icon User is offline

  • Self-Trained Economist
  • member icon




Reputation: 10596
  • View blog
  • Posts: 39,259
  • Joined: 27-December 08

Re: How do SQL injections work?

Posted 04 June 2014 - 06:11 PM

They wouldn't have access to the inner workings of your database. However, some lucky guesses can really go a long ways. Developers (generally) adhere to pretty standard naming conventions. So users is probably a table name, and an important table at that. It's really not so hard to guess.
Was This Post Helpful? 0
  • +
  • -

#3 Logik22  Icon User is offline

  • D.I.C Head

Reputation: 10
  • View blog
  • Posts: 164
  • Joined: 12-December 11

Re: How do SQL injections work?

Posted 04 June 2014 - 06:13 PM

View Postmacosxnerd101, on 04 June 2014 - 06:11 PM, said:

They wouldn't have access to the inner workings of your database. However, some lucky guesses can really go a long ways. Developers (generally) adhere to pretty standard naming conventions. So users is probably a table name, and an important table at that. It's really not so hard to guess.


That is very understandable but surely there must be a more sophisticated way than just guessing the obvious ones. I appreciate your response but I refuse to believe that every site would recommend extra steps like limited user access, sanitizing inputs, and all the other 'rules of thumb' when they could just say "Name your table something random".
Was This Post Helpful? 0
  • +
  • -

#4 macosxnerd101  Icon User is offline

  • Self-Trained Economist
  • member icon




Reputation: 10596
  • View blog
  • Posts: 39,259
  • Joined: 27-December 08

Re: How do SQL injections work?

Posted 04 June 2014 - 06:20 PM

If I named my table "michelle_obama_wants_me_to_eat_veggies" and stored some information in there, it would take you some time to decipher it each time you came back to the table. Wouldn't you prefer I just name the table customer_orders? It goes towards naming conventions.

Prepared Statements also have performance gains if you're executing the same query repeatedly. Sanitizing user input isn't necessary with prepared statements.

Quote

limited user access

Security concerns aside, users are morons by assumption. Do you really want every user to have full access?
Was This Post Helpful? 0
  • +
  • -

#5 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 9288
  • View blog
  • Posts: 34,827
  • Joined: 12-June 08

Re: How do SQL injections work?

Posted 04 June 2014 - 06:27 PM

In most DBs you can query the available tables and have it spit out all the table names... typically this should be limited, but some leave it open.
Was This Post Helpful? 0
  • +
  • -

#6 Logik22  Icon User is offline

  • D.I.C Head

Reputation: 10
  • View blog
  • Posts: 164
  • Joined: 12-December 11

Re: How do SQL injections work?

Posted 04 June 2014 - 06:28 PM

View Postmacosxnerd101, on 04 June 2014 - 06:20 PM, said:

If I named my table "michelle_obama_wants_me_to_eat_veggies" and stored some information in there, it would take you some time to decipher it each time you came back to the table. Wouldn't you prefer I just name the table customer_orders? It goes towards naming conventions.

Prepared Statements also have performance gains if you're executing the same query repeatedly. Sanitizing user input isn't necessary with prepared statements.

Quote

limited user access

Security concerns aside, users are morons by assumption. Do you really want every user to have full access?


When I say user access I mean the user I use to connect to the database. So no, I would only give them access to whatever SQL statements (Select, alter, etc) they'd need to run.

So If I named my tables a random 16 character (a-z, A-Z, numbers, symbols, etc) it would be next to impossible to SQL inject me unless someone wanted to waste 10 years of their life typing in every possible random key combo in every character limit? Is SQL injections literally just guessing what the table is called?

View Postmodi123_1, on 04 June 2014 - 06:27 PM, said:

In most DBs you can query the available tables and have it spit out all the table names... typically this should be limited, but some leave it open.


Now that sounds more like it. I would like to look in to this. Do you have any keywords I could Google for more information?

This post has been edited by Logik22: 04 June 2014 - 06:29 PM

Was This Post Helpful? 0
  • +
  • -

#7 ArtificialSoldier  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 400
  • View blog
  • Posts: 1,466
  • Joined: 15-January 14

Re: How do SQL injections work?

Posted 09 June 2014 - 11:06 AM

Quote

So If I named my tables a random 16 character (a-z, A-Z, numbers, symbols, etc) it would be next to impossible to SQL inject me unless someone wanted to waste 10 years of their life typing in every possible random key combo in every character limit? Is SQL injections literally just guessing what the table is called?

That's not really the point. You protect your database through things like filtering out SQL injections, that is how you protect your database. Coming up with 64 character random strings for identifiers is not protection, that is obfuscation. What happens if you name everything randomly, don't bother with protecting your actual queries, and then someone figures out the names of everything somehow? Maybe they paid a friend who works for the host, maybe they found a back door that allowed them to upload PHP files and get to run whatever they way, who knows. How they get the list of identifiers is not relevant. Expecting your database to be protected by randomizing identifier names is not security. Writing your code to avoid SQL injections will go a much longer way towards securing your application than just hoping that no one figures out your identifier names.

In practice, one reason people find out identifier names is because many of the projects are open source. You can download the code yourself and try the default names. But people worried about securing their systems don't do things like try to hide their database, instead they make sure the code that uses the database is secure.
Was This Post Helpful? 0
  • +
  • -

#8 Logik22  Icon User is offline

  • D.I.C Head

Reputation: 10
  • View blog
  • Posts: 164
  • Joined: 12-December 11

Re: How do SQL injections work?

Posted 09 June 2014 - 11:12 AM

View PostArtificialSoldier, on 09 June 2014 - 11:06 AM, said:

Quote

So If I named my tables a random 16 character (a-z, A-Z, numbers, symbols, etc) it would be next to impossible to SQL inject me unless someone wanted to waste 10 years of their life typing in every possible random key combo in every character limit? Is SQL injections literally just guessing what the table is called?

That's not really the point. You protect your database through things like filtering out SQL injections, that is how you protect your database. Coming up with 64 character random strings for identifiers is not protection, that is obfuscation. What happens if you name everything randomly, don't bother with protecting your actual queries, and then someone figures out the names of everything somehow? Maybe they paid a friend who works for the host, maybe they found a back door that allowed them to upload PHP files and get to run whatever they way, who knows. How they get the list of identifiers is not relevant. Expecting your database to be protected by randomizing identifier names is not security. Writing your code to avoid SQL injections will go a much longer way towards securing your application than just hoping that no one figures out your identifier names.

In practice, one reason people find out identifier names is because many of the projects are open source. You can download the code yourself and try the default names. But people worried about securing their systems don't do things like try to hide their database, instead they make sure the code that uses the database is secure.


I'm aware that naming my tables something completely irrelevant shouldn't be considered a method of protection. As you'll see, I outlined a few methods of prevention above.

My question is, if I don't have those methods of prevention, how would they even be able to write an SQL injection without knowing the anatomy of my database?

I think how they get a list of identifiers is very relevant. If I want to learn how to secure a bank, I'll become a bank robber.
Was This Post Helpful? 0
  • +
  • -

#9 ArtificialSoldier  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 400
  • View blog
  • Posts: 1,466
  • Joined: 15-January 14

Re: How do SQL injections work?

Posted 09 June 2014 - 11:29 AM

Quote

My question is, if I don't have those methods of prevention, how would they even be able to write an SQL injection without knowing the anatomy of my database?

They won't. As to how they determine the anatomy, maybe they can query the information_schema database to figure out all of the identifier names. Maybe they can upload a PHP back door script to run console commands with elevated privileges. Maybe they have a friend at the data center that they pay for a copy of the database. Maybe they walk in with a clipboard and hat and convince someone that they should have access. Maybe they can find error messages or error logs that shed light on the structure. Maybe they target a computer with a virus to monitor network traffic. Maybe they work for the NSA. Who knows?
Was This Post Helpful? 0
  • +
  • -

#10 Logik22  Icon User is offline

  • D.I.C Head

Reputation: 10
  • View blog
  • Posts: 164
  • Joined: 12-December 11

Re: How do SQL injections work?

Posted 09 June 2014 - 11:30 AM

View PostArtificialSoldier, on 09 June 2014 - 11:29 AM, said:

Quote

My question is, if I don't have those methods of prevention, how would they even be able to write an SQL injection without knowing the anatomy of my database?

They won't. As to how they determine the anatomy, maybe they can query the information_schema database to figure out all of the identifier names. Maybe they can upload a PHP back door script to run console commands with elevated privileges. Maybe they have a friend at the data center that they pay for a copy of the database. Maybe they walk in with a clipboard and hat and convince someone that they should have access. Maybe they can find error messages or error logs that shed light on the structure. Maybe they target a computer with a virus to monitor network traffic. Maybe they work for the NSA. Who knows?



That makes more sense. Thanks!
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1