
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
Database Operation
|
249
SQL Injection
Some queries are actual attempts to attack the server. Since SQL is a language, it’s
susceptible to lexical, grammatical, and logical errors. Exploiting SQL to crack a sys-
tem is also called SQL injection.
Let’s say you have a web site where people register to access your content. Some-
where you’ll have a table defining your users: ID, password, and so on. You have a
script (Perl, PHP, or whatever) that collects the ID and password from a form and
checks the database to see if that user exists. In PHP, you might code:
$query = "SELECT * FROM USERS WHERE ID = '$id' and password = '$password'";
where $id and $password are the values from the form. (In Chapter 10, I point out
that we would actually take a few steps before this to ensure that $id and $password
actually came from the form.) If $id were shrek and $password were donkey, the query
would be:
SELECT * FROM USERS WHERE ID = 'shrek' and PASSWORD = 'donkey'
A cunning SQL injector could use these values instead:
This results in:
SELECT * FROM USERS WHERE ID = '' OR ''='' and PASSWORD = '' OR ''=''
This will select every row. If we had used SELECT COUNT(*) instead, we would get
a count of all the rows.
Chapter 10 includes more information on how to guard against SQL injection in
your Perl or PHP scripts. ...