2013 International Conference on Informatics and Creative Multimedia

A taxonomy of SQL Injection Attacks

Amirmohammad Sadeghian, Mazdak Zamani, Shahidan M. Abdullah

Advanced Informatics School
Universiti Teknologi Malaysia
Kuala Lumpur, Malaysia
[email protected] , [email protected] , [email protected]

Abstract— Nowadays web applications play an important role programming to run a query. However, SQL includes
in online business including social networks, online services, powerful functions that allow professional users with
banking, shopping, classes, email and etc. Ease of use and programming skills to make more complex queries and
access to web application make them more popular in offering execute them to achieve higher performance. Like other
online services instead of in person services. a simple user just programming languages SQL let the user to use inline
need a computer and an internet connection to access web comments in the code, even between statements. SQL also
application and use online services provided by that give the ability of concatenation and combining to character
application. There is one core in common between all dynamic or values.
web application and that is their need to use a database to
Databases are the main storage of potential confidential
store information inside that and retrieve that information
upon the user request or add, edit and delete them. Among all
information online and this is a good motivation for attackers
database types, rational databases are very popular. Most of to target them. SQL injection is one of attacks that attackers
relational database management systems such as MySQL, use to breach the database security. Among many types of
Oracle, MS SQL Server, MS Access, Postgres use SQL as their web application vulnerabilities, SQL Injection is the most
language. Flexibility of SQL makes it a powerful language. It dangerous one [1]. The main motivation of this paper is to
allows the user to ask what information he wants without inform web application developer and security researcher
having any knowledge about how the information will be fetch. about possibilities of SQL injection attack. Having a good
However vast use of SQL based databases make it the center of understanding of how different types of SQL injection
attention of hackers. SQL injection attack is a well-known attacks works can be helpful in writing a more defect free
security threat to database driven web applications. A code.
successful SQL injection attack reveals critical confidential The rest of this paper is organized as follows. Section 2
information to the hacker. In this paper first we provided explained the background of SQL injection problem. Section
background information on this vulnerability. Next we present 3 explained different types of SQL injection attack following
a comprehensive review of different types of SQL injection by an example. Section 4 proposed the best solution at
attack. For each attack we provide an example that shows how coding phase to defeat SQL injection attack. And section 5 is
the attack launches. Finally we propose the best solution at the conclusion.
development phase to defeat SQL injection and conclusion.
II. SQL INJECTION PHENOMENON
Keywords- SQL Injection; SQLIA; Web Application
Vulnerability; Information Security; SQL injection is a type of attack which attacker inserts a
malicious SQL query into the web application by appending
it to the input parameters [2]. SQL injection occurs when the
I. INTRODUCTION developer used dynamic queries which are concatenated with
Currently all businesses prefer to move on from the "in variables from the user side. In lack of strong input
person services" to "online services", and this is due to cost validation the malicious SQL query will insert into the web
of labor and possible mistakes that might happen during the application and instead of variables, concatenate itself with
work. A well-established web application can easily satisfy the legitimate query. And send to the database management
needs of companies that want to serve their customers online. system for execution. In result the malicious query will be
Web applications that use database to store and retrieve data executed.
are named “Database Driven Web Applications”. One of the For instance we assume that we have a webpage that
most common types of databases is relational database. receive an integer variable as news id and show the related
Structured Query Language (SQL) is a type of programming news to that Id.
language which created for handling and controlling data in http://www.domain.com/news.php?nid=170
the relational database management systems (RDBMS). Attacker append the “‘ OR ‘1’= ‘1 “ to the end of the
Flexibility of SQL makes it a powerful language. It URL:
allows the user asks what information he wants without http://www.domain.com/news.php?nid=170’OR‘1’=
’1
having any knowledge about how the information will be In result of opening this address the PHP web page will
retrieved. This will help users without knowledge of return all the news without considering the id of news. This

978-0-7695-5133-3/13 $26.00 © 2013 IEEE 270

264
269
DOI 10.1109/ICICM.2013.53
Authorized licensed use limited to: Don Bosco Institute of Technology-Bengaluru. Downloaded on March 17,2025 at 07:09:56 UTC from IEEE Xplore. Restrictions apply.
 is because the “1=1” is a true condition and “OR” will make Input (username): 'ABCD"
the whole condition true, no matter which statement is true. Input (password): 'TEST"
Sql: SELECT * FROM USERS WHERE username =
III. SQL INJECTION CLASSIFICATION 'ABCD"' AND password = 'TEST'

A. Tautologies Result: "Incorrect syntax near 'ABCD'.

Unclosed quotation mark after the character
This type of SQL injection attack works by making the string '' AND Password='TEST''."
“WHERE” clause always true, And this will result in
bypassing the condition inside the SQL statement. Attackers In result of Incorrect Queries attack two type of error
mostly use tautology SQL injection to bypass the might return, logical and syntax. Logical errors use to fetch
authentication. They also add inline comment signs to ignore the name of the columns or tables. But syntax errors show
the remaining part of the statement to achieve to the highest which parameters are open to injection attack.
amount of the result in return with the lowest range of For securing the web application against this attack the
conditions [3]. Mostly SQL tautologies are comes handy error reporting system should be disabled or properly
when the attacker try to force a SQL statement to return all configured to show only limited errors that don’t reveal
records, by ignoring all WHERE conditions. The most critical information about the database structure.
common tautology is “or 1=1”. It will put another condition C. UNION Query
by concatenating the “OR” and the “1=1” criteria that always
is true so the result of the whole condition will be true [4]. The UNION operator in SQL language is used to join
Below is a SQL query for fetching all columns that their two independent queries together. In union query, attacker
username are equal to “Administrator” and their pass is equal uses “UNION” to extract data from other tables by injecting
to “root”. another select query and unioning that with original SQL
SELECT * FROM TABLE_USERS WHERE USERNAME = statement. By using this method attacker force the database
‘ADMINISTRATOR’ and PASS = ‘ROOT’ to return result from extra tables other than the one defined
Below is a variable value that is injected as a SQL in the legitimate SQL query [6].
Injection tautology attack. For extracting data from the database by using union,
‘ OR 1=1 -- attacker need to have the structure of the database such as
And below is the final SQL query in result of the table names and field names that later can build the
concatenation of the outside variable and the main SQL secondary query based on these information and join it with
statement. Running this query will return all rows from the the original query string. In the following example attacker
“TABLE_USERS” that their username is insert a union SQL query at the end of the URL in the
“ADMINISTRATOR” without considering their password. address bar of the browser.
SELECT * FROM TABLE_USERS WHERE USERNAME = Original URL:http://www.example.com/news.php?
‘ADMINISTRATOR’ and PASS = ” OR 1=1 –’ newsid=340
B. Illegal/Logically Incorrect Queries Manipulated URL: http://www.example.com/news
In this technique the aim of attack is to collect important .php?newsid=340 UNION SELECT CreditcardNo,
information about the schematic and structure of tables and PinNo FROM CreditCardTable
fields inside the database. Attacker later will use the In result of the SQL injection the query will look alike
collected data for launching another attack in more details below:
SELECT NewsTitle, NewsBody FROM News
[5]. Basically the mechanism of this attack works by WHERE NewsID = '340' UNION SELECT
injecting wrong or incorrect SQL query into the web CreditcardNo, PinNo FROM CreditCardTable;
application and web application will return some information Consequently database will return two columns. The
about the database in form of error message. Inappropriate content of these columns are join of the results from the first
handling of errors can leads to showing internal database query and the second query. In this example the first row is
error messages to the attacker. These kinds of messages will fetch from news table and second and third rows are fetching
reveal critical information about the database structure and from the credit card table
attacker will use them to conduct another attack with higher
impact on the website. Even in some cases if the web TABLE I. AN EXAMPLE DATASET RESULT OF UNION QUERY ATTACK.
application limit the output errors or the way which they News Title 340 This is the example news body….
appearing to avoid showing the structure of the database, the
100 340 955 888 333 398
fact that an error show or don’t show can be enough
230 110 715 701 325 102
informing for the attacker.
For instance in the following attack, the attacker insert
“ABCD" ” in the username field and because the "(Double A successful Union Query attack can reveal the whole
Quote) will break the structure of the SQL statement in result structure of the database and all data inside that. Below is a
Database will return an error message that reveal another flow of a full union query attack and it shows that an attacker
column name inside the query string. Now attacker know with zero background knowledge about the current database
that there is a column exist in database named “Password”. can find Table, Column and field names.

270
271
265

Authorized licensed use limited to: Don Bosco Institute of Technology-Bengaluru. Downloaded on March 17,2025 at 07:09:56 UTC from IEEE Xplore. Restrictions apply.
 In the following example in the four first attempt attacker Input Year: 2013
try to understand, how many columns are selected in the Input Author: ; drop table users --
Input Type: public
legitimate query. This is due to the fact that for a successful In result of inserting above inputs the following query
union query, attacker needs to know how many columns are will be made, this query will select all news that are from
selecting in the original query. And when he wants to build a year 2013 and semicolon finish the first SQL query and
new query and join it with the original query he should select second query will delete the table of user’s information and
the same amount of columns from the secondary table. “--” will ignore the rest of the query.
URL: http://example.com/news.php?id=10 UNION SELECT * FROM news WHERE year=’2013’ AND
SELECT ALL 1-- author=’’; drop table users -- ’ AND
ERROR: All queries in an SQL statement type=’public’
containing a UNION operator must have an
equal number of expressions in their target E. Stored Procedures
lists.
Stored procedures are premade portion of SQL queries
URL:http://example.com/news.php?id=10 UNION that are designed to do a specific task. Some of the database
SELECT ALL 1,2-- systems have their own pre-defined stored procedures for
ERROR:All queries in an SQL statement
containing a UNION operator must have an working with operating system. Poor written store
equal number of expressions in their target procedures are also vulnerable to SQL injection attack and
lists. attacker can execute them to achieve his malicious goals. If
URL:http://example.com/news.php?id=10 UNION
the attacker can execute database predefined stored
SELECT ALL 1,2,3-- procedures, he also will be able to run commands on
ERROR:All queries in an SQL statement operating system of the server machine (Privilege
containing a UNION operator must have an escalation).
equal number of expressions in their target
lists. Currently a lot of developers wrongly believe that using
of stored procedures is a good method to avoid SQL
URL:http://example.com/news.php?id=10 UNION injection but this is not true in general. Basically stored
SELECT ALL 1,2,3,4- procedures can be helpful in avoiding SQL injection by
NO ERROR
In the fourth attempt when he didn’t received any error limiting the types of statements that can be passed to SQL
he can understand that there are four columns selected in the parameters. This limitation cannot completely protect the
original query. From now on he has to select his desire application against SQL injection because still there are
information in form of four columns. For instance following some ways to bypass these limitations.
attack will retrieve the database name: In the following example there is a stored procedure that
http://example.com/news.php?id=10 UNION receive category variable from the outside world.
SELECT ALL 1,DB_NAME,3,4-- ALTER PROCEDURE get_news (@category
NVARCHAR(50)) AS
D. Piggy-Backed Queries BEGIN
DECLARE @sqlcmd NVARCHAR(MAX);
In this type of attack, the attacker will inject an SET @sqlcmd = N'SELECT * FROM news WHERE
independent query and in result of a successful attack the news_cat = ''' + @category + '''';
second query will run after the first original query that EXECUTE(@sqlcmd)
END
already ran. The different of this attack with UNION attack Assume attacker insert the following input:
is that the queries will not join each other but they are sport'; SHUTDOWN; --
completely independent. This attack named piggy back In result of running this query all news from the news
because the secondary query will be sent to database under table with category of sport will be selected and after that
the cover of the first query [6]. semicolon will end the first query and second query will shut
Implementing this attack is only possible if the database down the SQL server.
configured in a way that give this permission to the user to SELECT * FROM news WHERE news_cat = 'sport';
run multiple queries in the same line. This type of attack can SHUTDOWN; --
be very dangerous because it give the ability to the attacker F. Inference
to add any kind of SQL command he want and run it in the
database, which can causes a high impact incident. In this type of attack, attackers inject the SQL and
Semicolon ( ; ) is playing an important role in this type of observe the differences in return from the web application.
attack because attacker use it as a delimiter for the end of the Basically attack launched by asking questions. For example
first query and the start of new query. But in some database if the answer is “A” do “M” or if the answer is “B” do
management systems, the existence of delimiter is not “N”[7]. Usually this attack take place when the web
necessary. application is harden in aspect of error handling and attacker
In the following example we can see a query which will cannot use the error messages.
fetch news from the news table based on 3 conditions of There are two main attack technique categorized as
year, author and type. Inference attacks, “Timing Attacks” and “Blind Injections”.
SELECT * FROM news WHERE year=’.$year.’ AND • Timing Attacks:
author=’.$author.’ AND type=’.$type.’ In timing attack, SQL injection will let the
Assume attacker inset the following inputs: attacker to understand the answer to his question by

271
272
266

Authorized licensed use limited to: Don Bosco Institute of Technology-Bengaluru. Downloaded on March 17,2025 at 07:09:56 UTC from IEEE Xplore. Restrictions apply.
 the time it takes to load the result page. This type of attack. In other words, it only used as a cover for other
attack are very likely to works in secure web attacks to evade from Intrusion detection systems (IDS) [9].
application because they are relies on the delay that In this type of attack, encoding techniques such as
happen in the running of the injected SQL and not Base64, ASCII, HEX or Unicode might be used to trick the
the web application output [8]. IDS/IPS by changing the look of the SQL injection query.
In the following example attacker ask from Assume we have an intrusion detection system with
database, if database version contains number 4 (like following signature. In this signature, IDS will look for “ ' or
4) have a 10second delay before you replay and load 1=1 – ” , if IDS successfully found the pattern will drop the
the page. connection and show an error.
http://www.MyWebsite.com/news.php?id=12 alert tcp any any -> $HTTP_SERVERS
0 AND IF(version() like ‘4%’, $HTTP_PORTS (msg: “SQL Injection attempt”;
sleep(10), ‘false’))-- flow: to_server, established; content: “' or
Above example is in MySQL. The delay 1=1 --”; nocase; sid: 1; rev:1;)
command is different based on the vendor of the In the following examples, we can see the encoding of
database management system. Microsoft SQL server the same SQL injection string for evasion from IDS.
uses “WAITFOR” command. Oracle and MySQL HEX encoding of ' or 1=1 -- for use in URL:
use “SLEEP” command for making the delay. %31%20%4F%52%20%31%3D%31
HEX encoding of ' or 1=1 --:
• Blind Injections: 1 OR 1=&#x
Blind SQL injection is another technique of 31;
inference injection. In this type of attack the attacker Decimal encoding of ' or 1=1 --:
will asks a true / false question and he observe the &#49&#32&#79&#82&#32&#49&#61&#49
answer based on behavior of web application in Base64 encoding of ' or 1=1 --:
response ( Also known as content-based ). This MSBPUiAxPTE=
situation makes the attack process harder for the Using comments in the attack is also very common
attacker but cannot avoid the attack. For example we technique of evasion. Comments can change the usual
assume the web application is secured enough to appearance of the query to avoid the detection by IDSs and
avoid showing error messages that contains database IPSs [10].
structure. But if the application is still vulnerable to Following example use “/* */” comment to evade. In this
SQL injection, the attacker will ask from the web example whatever is in between /* and */ will not considered
application if first letter of username of database is to be execute in MySQL server but it can change the look of
"a" show the page or vice versa. In the worst case the attack in result the IDS cannot detect it.
DROP/*comments will goes here*/users =
these attempts continue for 26 times until he can In the following example we can see that using of
guess the first letter of the database name, and comment even in the middle of name of the function is also
consequently he has to repeat the same procedure to possible and it will not be considered for execution in
retrieve the other letters of the database username. MySQL. In this example DR/**/OP will act like DROP
In the following example attacker try to guess the function, so this flexibility of SQL language will give too
table names which exists inside the database. In this much choices to attacker to change the appearance of his
case he had two attempts, at the first attempt he asks attack to evade the detection algorithms.
from the database “Select first row as 1 from the table DR/**/OP users
admin”. Table “admin” is not exists in the database,
so the result is false and this result is part of AND IV. PROPOSED SOLUTION
condition. Consequently the page will not load Security researchers proposed wide ranges of solutions to
because the condition is not satisfied. combat with SQL injection. These solutions can be
http://example.com/news.php?id=132 AND
(select 1 from admin limit 0,1)=1 categorized in three main groups of Best code practices, SQL
We assume a table named "users" exists in the injection detection and SQL injection runtime prevention.
database, so in the second attempt query can select Each of them has their own advantages and disadvantages
the first row of the table. And this satisfies the which due to the space limitation we cannot cover them in
condition and the page will load in result, now the this study. But the best solution can be the avoidance through
attacker knows that there is a table named "users" writing secure codes. Writing secure code is a part of best
exists in the database. coding practices. Among all best code practices, using
http://example.com/news.php?id=132 AND Parameterized Queries is the most secure and efficient
(select 1 from users limit 0,1)=1 technique.
G. Alternate Encodings Parameterized Queries also known as prepared
statements. In this technique there are some placeholders in
Alternate encoding is not an independent type of attack the SQL query for the user variables. Database management
but it’s a technique that mostly used next to other SQL system first will compile the SQL statement without
injection techniques to avoid security system of that web considering the placeholders and store the result. Next it will
application or network infrastructure from detecting of the add the variables and compile the statement for the second

272
273
267

Authorized licensed use limited to: Don Bosco Institute of Technology-Bengaluru. Downloaded on March 17,2025 at 07:09:56 UTC from IEEE Xplore. Restrictions apply.
 time. Consequently even if the attacker inserts a malicious
query, the database will treat it like an ordinary string.
Parameterized queries make sure that attacker cannot
change the SQL query string even in case of using dynamic
queries.
V. CONCLUSION
SQL injection is a dangerous attacking method which can
be very sophisticated. In this paper we only cover a simple
example of each attack. However each of these attacks can
be launch in a more complicated way. A good understanding
of SQL injection techniques can help developers to make
their applications and the network more secure against this
vulnerability. There are many types of defense techniques
exist against this attack, but we believe avoidance is the best
solution. We strongly suggest to developers to use
Parameterized queries for making dynamic queries to avoid
SQL injection.
REFERENCES

[1] (OWASP), “O.W.A.S.P. Top 10 Vulnerabilities.”; Available from:

https://www.owasp.org/index.php/Top_10 2013.
[2] Shar, L.K. and T. Hee Beng Kuan, Defeating SQL Injection.
Computer, 2013. 46(3): p. 69-77.
[3] Dharam, R. and S.G. Shiva. Runtime monitors for tautology based
SQL injection attacks. in Cyber Security, Cyber Warfare and Digital
Forensic (CyberSec), 2012 International Conference on. 2012.
[4] Halfond, W., J. Viegas, and A. Orso. A classification of SQL-
injection attacks and countermeasures. in Proceedings of the IEEE
International Symposium on Secure Software Engineering, Arlington,
VA, USA. 2006.
[5] Jie, W., et al. Augmented attack tree modeling of SQL injection
attacks. in Information Management and Engineering (ICIME), 2010
The 2nd IEEE International Conference on. 2010.
[6] Medhane, M.H.A.S., Efficient Solution for SQL Injection Attack
Detection and Prevention. International Journal of Soft Computing
and Engineering (IJSCE), 2013.
[7] Anley, C., Advanced SQL injection in SQL server applications.
White paper, Next Generation Security Software Ltd, 2002.
[8] Halfond, W.G.J., A. Orso, and P. Manolios, WASP: Protecting Web
Applications Using Positive Tainting and Syntax-Aware Evaluation.
Software Engineering, IEEE Transactions on, 2008. 34(1): p. 65-81.
[9] Lori Mac Vittie, "SQL Injection Evasion Detection", White Paper-F5
Networks , September 2007 .
[10] Maor, Ofer, and Amichai Shulman. "SQL injection signatures
evasion." Imperva, Inc., Apr (2004).

273
274
268

Authorized licensed use limited to: Don Bosco Institute of Technology-Bengaluru. Downloaded on March 17,2025 at 07:09:56 UTC from IEEE Xplore. Restrictions apply.