A look at the SQL Injection Attack and introducing you a trick to prevent your website from this attack

Introduction

Hi, dear friends. Thank for reading this article in the Amoozin's Developing weblog. This article is one another work from science and technology club, Oxford Plus website and we hope that this article as well be helpful.

This article has written about a very important security issue that keeping that issue in the mind when designing websites is very important. Yes, we are going to discuss about SQL Injection Attack.

Figure 1. SQL Injection Attack

My friends please note that by this article, i'm not going to offer a complete explanation of SQL Injection Attack, just like a academic class! because there is numerous pages in the internet in this field (result of a google search) and indeed scrutiny of this issue here, will waste a large amount of time. The aim of this article is a quick look at SQL Injection Attack and warns that website designers have to be aware of existing of this kind of attacks and that how we can protect ourself website from.

You know, main mechanism of SQL Injection Attack is that a website user may insert a text, other than a text that you expect, such as SQL instructions, in the text boxes of webpage or addressbar of web browser. By this way, mentioned user could have access to your website's database information and could even manipulate or delete data of it. That is, he/she could hack your website.

To clarify the subject, i offer an example, suppose that ,in the Login page, you give the username of website's users via a textbox called txtUserName to search it's Text value in the database and see if that user has already registered in your website or no.

Most first method to do this process that comes to the mind, is the line of code like the code shown in figure 2.

Figure 2. Searching the username in the database (C#)

In the code of figure 2, we are simply searching the username that user has inserted in the textbox txtUserName, in the database, via SQL instructions. Our website become vulnerable when we expect that all the website's users will insert plain text in the textbox txtUserName. For example, you may expect that all users want to insert a text such as Ghanbari. In this case, a SQL instruction like SELECT * FROM Oxford_Plus_Table WHERE UserName='Ghanbari' will execute on website's database.

But, what will happens if some user insert a text like ' OR 1=1 ? In this case, a SQL instruction such as SELECT * FROM Oxford_Plus_Table WHERE UserName='' OR 1=1 will execute on our website's database. Though the condition UserName='' will result False, but second condition, i.e., 1=1 always is ture and we know that False OR True -> True... As you guessed, mentioned user logged in to the website, illegaly. This attack was an example of SQL injection attack.

With this simple example, we realize that if we be unready for SQL injection attack, the database of our website will be very vulnerable against hacker, from stoling of website's ordinary user's information to deleting of whole database!

Our suggestion

But a very simple solution that i can suggest to protect our websites against SQL injection attack is using EncodeString(...) and DecodeString(...) webservices that we offer them freely in http://webservices.oxford.plus. You can using this webservices in your website's code, first encode user's input data and then search this encoded data on your database, using SQL.The webservice EncodeString(...) takes a string as input and gives us the corresponding decoded output as string.

The DecodeString(...) webservice acts in vice versa, that is, takes an encoded data (i.e. output of webservice EncodeString(...)) in the format of string and then gives us, exactly, the same data that user has typed.

That way, using this webservices, we could convert data that users insert in the TextBoxes of our webpages or in browser's address bar, to a encoded and safe form, befor embed them in SQL instructions and therfore likely executing them. And in demand, we can extrat primary data.

The mechanism of protection

Suppose that, some user types expression ' OR 1=1 as input, the webservice EncodeString(...) will convert that expression to string 39-32-79-82-32-49-61-49-. The primary expression has the ability of executing on database, but as you can see, the converted string has no SQL instructions and so never won't execute on a database.

Indeed, every input that you give to webservice EncodeString(...), it will convert that to a chain of numbers and - signs between them. Therfore, if you encode all the inputs of website's users via this webservice before embedding them in SQL instructions, you will be sure that any unexpected SQL instruction will not execute on your website's database, because apart from the content, every input will be converted to a series of numbers and - signs.

The method of using webservice

The method of using webservices EncodeString(...) and DecodeString(...) in website's code is very simple as same as other webservices. But to fixing ambiguity, i will show you an example here of using this webservices.

I create a new website called TestWebSite in Visual Studio envirenment and add it a series of controls for taking inputs from users and showing data as shown in figure 3 (Dear friend note that if you write your website with other programming languages like PHP, you can still use of this webservices).

Figure 3. The page of taking and showing data

Then i add a WebReference called OxfordPlusWebServicesV1Proxy from that webservices to my new website, figure 4. My friends note that i have written in detail about webservices in one Farsi article (Here). If you have no experience in creating WebReference and using them, mentioned article maybe can help you, even if you do not know Farsi!

Figure 4. Adding WebReference to new website

In the code behind also, in the place that i shown with blue arrow in figure 5, i have declared the added WebReference with key word 'using' and in the place that has shown with red arrow, i defined an instance of that WebReference called myOxfordPlusService.

Figure 5. declaration of webservice

After this simple steps, you can easily invoke the webservices EncodeString(...) and DecodeString(...) from our website and use them, each time that you need them. Also, as you can see in figure 6, i have used webservice EncodeString(...) in the place shown with green arrow and webservice DecodeString(...) in the place shown with pink arrow.

Figure 6. Invoking webservices in the code behind

In figure 7, also, you can see an example of converting of input data to code and vice versa.

Figure 7. An example of Encoding and Decoding of webservices

In the case of mentioned at the top of this article, if we change the code like code shown in figure 8, the user name taken via txtUserName, will be searched encoded and safely on database (Of course, this is necessary that all database's datas, already, be saved on it in the form of encoded).

Figure 8. Searching user name safely using webservice EncodeString(...)

Well, and i'm giving you the source code of TestWebSite (that be used in this article) via link below and if you need to try it yourself, you can download it:

Download link for source code of TestWebSite

References

Reference 1 (from ipbehsa.com)

Reference 2 (from cyberbannews.com)

Readers' Comments: