A query string is helpful when we want to transfer a value from one page to another page through URL.
Ex : http://example.com/over/there?id=4
Here, we are passing Id=4 i.e. based on Id, we are fetching the results.
Why SQL Injection?Query string data is directly visible to the outside world, which leads to the security vulnerability. Sending the sensitive data through query string is not preferred. It leads to SQL Injection.
SQL InjectionIt is a technique where the attacker can inject SQL statements through Web page input controls.
SQL injection through Query StringGenerally, we didn’t send the sensitive information like User Name, Password and Credit Card Number etc. through Query String. If you send the sensitive information through query string, see how the hacker can inject SQL Injection through query string.
Hacker can inject SQL query through query string.
For instance: http://testwebsite.com/testdetails.aspx?emailIdfirstname.lastname@example.org
String strEmail = Request.QueryString("emailId") String SqlQuery = "SELECT * FROM temp_table WHERE emailID = '" + strEmail + "'"
SQL query executed against the database is just like the sample query, given below:
SELECT * FROM temp_table WHERE emailID = email@example.com
The SQL query, given above, as expected, finds the database for the user information, filtered by the EmailID. As the query string parameter's value are not SQL encoded, a hacker can take advantage and easily modify the query string value to embed additional SQL statements, next to the actual SQL statement to execute. For instance:
The hacker can modify the actual URL with SQL injection, as given in the sample, below:
http://testwebsite.com/testdetails.aspx?emailIdfirstname.lastname@example.org';DROP DATABASE userdb--
Notice how the hacker can append the ';DROP DATABASE userdb-- malicious query to the emailId Query String value and use it to terminate the current SQL statement (via the ";" character) and then add his/her own malicious SQL statement to the query string value. After submitting the request, first, the request will execute against the user table and then it will remove the userdb database. Here, if you observe, the hacker appended a SQL injection with the actual query string value by ending up with -- the characters, which means that after those characters, the rest of the query statements will be ignored.
The hacker can also ADD , UPDATE, INSERT, ALTER etc. statements to modify the user details.
The sample code block, given below, causes SQL Injection through the query string:
Test Cases for SQL Injection through Query String
Actual URL: http://localhost:2001/querystringinjection.aspx?userName=testUser
Test Case 1If the end user will give a query sting parameter as userName = testUser, he/she will not find the records, because with the given input value, there are no records in the database table. If we give user Name = testUser or '1'=‘1, we will get all the records because, we are giving ' or '1'='1, which means, it will always give true values.
Test Case 2If we give userName = testUser'; update PO_USER_DETAILS_MASTER set user email='testUser@gmail.com-- as an input value, we will see user Email='testUser@gmail.com-- for all users in database table.
Test Case 3If we give user Name = sampleUser' drop table sampleTable-- we can’t see the user details. In the database, the hacker drops the table.
Test Case 4If we give user Name = sampleUser' or ‘1’=’1’ drop table sampleTable -- we can see the user details. In the database, the hacker drops the table.
Test Case 5If we give userName = <script src="http://localhost:2001/Attackerscript.js"></script>, we can inject malicious script code through query string value.
Techniques to prevent SQL injection through Query String
To prevent such SQL injections, you can follow the same techniques, which I discussed in one of my articles, given below,