Title: How bad guys hack into websites using SQL Injection Word Count: 940 Summary: SQL injections are one of the most common vulnerability around the internet today. There are literally thousands of vulnerable websites around. This article explains how these attacks work. Keywords: sql injection, sql, security Article Body: SQL Injection is one of the most common security vulnerabilities on the web. Here I'll try to explain in detail this kind of vulnerabilities with examples of bugs in PHP and possible solutions. If you are not so confident with programming languages and web technologies you may be wondering what SQL stay for. Well, it's an acronym for Structured Query Language (pronounced "sequel"). It's "de facto" the standard language to access and manipulate data in databases. Nowadays most websites rely on a database (usually MySQL) to store and access data. Our example will be a common login form. Internet surfers see those login forms every day, you put your username and password in and then the server checks the credentials you supplied. Ok, that's simple, but what happens exactly on the server when he checks your credentials? The client (or user) sends to the server two strings, the username and the password. Usually the server will have a database with a table where the user's data are stored. This table has at least two columns, one to store the username and one for the password. When the server receives the username and password strings he will query the database to see if the supplied credentials are valid. He will use an SQL statement for that that may look like this: SELECT * FROM users WHERE username='SUPPLIED_USER' AND password='SUPPLIED_PASS' For those of you who are not familiar with the SQL language, in SQL the ' character is used as a delimiter for string variables. Here we use it to delimit the username and password strings supplied by the user. In this example we see that the username and password supplied are inserted into the query between the ' and the entire query is then executed by the database engine. If the query returns any rows, then the supplied credentials are valid (that user exists in the database and has the password that was supplied). Now, what happens if a user types a ' character into the username or password field? Well, by putting only a ' into the username field and living the password field blank, the query would become: SELECT * FROM users WHERE username=''' AND password='' This would trigger an error, since the database engine would consider the end of the string at the second ' and then it would trigger a parsing error at the third ' character. Let's now what would happen if we would send this input data: Username: ' OR 'a'='a Password: ' OR 'a'='a The query would become SELECT * FROM users WHERE username='' OR 'a'='a' AND password='' OR 'a'='a' Since a is always equal to a, this query will return all the rows from the table users and the server will "think" we supplied him with valid credentials and let as in - the SQL injection was successful :). Now we are going to see some more advanced techniques.. My example will be based on a PHP and MySQL platform. In my MySQL database I created the following table: CREATE TABLE users ( username VARCHAR(128), password VARCHAR(128), email VARCHAR(128)) There's a single row in that table with data: username: testuser password: testing email: testuser@testing.comemail='testuser@testing.comemail='testuser@testing.com'email='testuser@testing.com'