Tip:
Highlight text to annotate it
X
There actually been debate of how i pronounce this.
I call it sequal(SQL) injection.
The acronym is S-Q-L.
Which ever you call it.
It's
a way to attack websites.
that really shouldn't work anymore but still does.
sequal or S-Q-L is a language in which you talk to databases
and its fairly
It's-it's fairly like English actually. You can actually say things like
"Select from this table."
Um
Its not a complicated language.There are no great amounts of-of
"curly brackets" and "semi-colon" and things like that.
It can be.
But equally you can pretty much type commands in near English, into it.
And you will get results back from your database.
And this has existed for years and years and years.
And that was all fine until the web came along.
and now people are looking at websites and are thinking for thing is these need to be hooked up to databases.
Because way back when-when-when Tim Berners-Lee invented the World Wide Web.
Um..It was pretty much - I'm gonna request a document
and you're gonna send that doucment back to me.
Eventually people worked out that
what do you really wanted to do was-was send a document
and have different things comeback depending on what you sent.
maybe you could type in a search request.
and that would go to a database and pull back something.
that's great, tha-that's brilliant, that's a wonderful invention.
Unfortunately some programming languages are dealt with a sensible way.
um....some did not.
and one of the most notable that didn't
ah....is a language called PHP.
um....
I'm-I am a PHP coder. it's a very easy language to write in.
It's a friendly language. I still haven't met any other language that let's me develop code
at the speed that i am able to.
um..
It's very fault tolerant
within reason
doesn't always give you the best results-when you-when it does but
you know it-it's-it's friendly, it's easy to pick up and crucially
you can just write it into a text file, upload it to a web server, in most of the world,
and it will just work.
You can type in PHP code and have it just run.
so the barrier to entry is really really low.
which in one way is brilliant. It makes web programming much more accessible.
Facebook was originally written in PHP.
um..
a numerable things
have originally been written in PHP and lots of things still are. WordPress still is.
The trouble is, that if are not careful there are lot of ways to go wrong.
and this isn't just PHP. I-I will use it in a example
You talk to a database by initiating command like this.
Select
star
from users where username equals
tom
great!
And the database will send back all the details it knows about the user called Tom.
brilliant!
but the catch is those quotation marks.
cause if i am not careful about what i send
then
we can cause some problems
let's say for example that i have a web form that let me login and i type in Tom.
and it sends that and brings back Tom.
okay
now lets say i type in Tom with a quote mark in it ("Tom").
and if you are not carefull, what will happen is the language will send something like this.
Username
equals
Tom than i put a quote mark in, then it puts a quote mark in and it fails because the quote mark don't match up.
and the whole thing crashes and it just sends back an error
That's mildly annoying
um..
and the big problem of course is putting any text that has quote mark.
The catch is you can do a lot of damage that way.
Because that language doesn't just have "Select"
It has "Insert" to add new stuff.
It has "Update" to change stuff
and it has "Delete" to remove stuff.
um..
if i was to send say
a username that was Tom closed quote semi-colon.
and then put another command in there like
delete everything.
its not a literal command but something like that.
it would work.
So have a look how that works. We've got a normal command
"Select"
star
"From Users"
where username............
Long command there.
but when you put in Tom, I'm gonna send that
and then i'm gonna send this.
Drop all databases
hit enter, it will convert into plain English command
................
it will get sent
and database will go
well that's exactly what i should do.
it's gonna understand that there's a new command at the semi colon and it should just delete everything.
the main way around it is escaping
when there is dangerous character like a quote mark.
you put a slash before it.
by "you" i mean you the programmer writing this. You go through when you use a function that says
everywhere there is a quote mark. Put this slash before it.
and before you send it to the database you do that.
Input comes in from the user
and some slashes to make it safe
send it out to the database.
and the database looks those slashes and goes. Right
every time its one of those
this thing is coming next
just treat it as a regular quote mark.
dont treat it anything special, its in the text, just treat it as that
and if you wanna send an actual slash, you send two slashes, the first one to say its a real character and then
It works
but its
.......
um..
for a while this kind of sent commanded plain English was the only way to make things work.
in a couple of languages including PHP, the most commonly used web programming language in the world.
to make this worse
the command to add
those slashes
was the wonderfully .... my squel(SQL). its the name of the database.
real
escape
underscore string and then you put whatever text you want
escape string being what you wanted to do.
mySQL being the name of the database.
and real
because the first one didn't work and they couldn't change it because of the backwards compatibility.
so
anyone who used the original string which is like more than 10 years ago now but anyone who would use
the original form of this
completely insecure.
rather than patch that, they just added the word real
anyone who forgot to add that or havent read through all the documentation.....yep.
anyone can come along and effectively delete you database or do more subtle things like update other people's account
or read other people's password.
but once you got access to database, if you work out how it works.
there is not much you can't do
and the thing is it is so easy.
to get this wrong.
if you get this wrong just once
anywhere your code, and there are lots of really subtle ways that i'm not gonna get into to get this wrong
and it's not just a case of forgetting to escape quotes.
um....there are lots of subtle ways to get it wrong.
if you do that
then your web app is venerable
and if someone figures out there is a way in there
because they try and create username with a quote mark in it.
aaah....goodluck say good bye to everyone's passwords.
the way it should be done is something called preapared statements
and if you are programming anything to do with database you sould be using preapred statement right now
um...the way they work is
it's a hack
it's a hack on top of a hack because lets be honest sending that kind of plain english SQL command
from a programming language......that's a hack and the we try to put more on top of that and more on top of that and more on top of that
but preapred statement at least keeps it safe.
with prepared statement you send the query you send
Select star from users
where username equals and then you just say question mark
and that question mark you then later say right this is the data i am putting in
this is not a command
dont do anything to this no matter what it looks like.
This is unsafe
Just take it, treat it very gently, store it in database and dont look at it beyond that
it's a more complicated than that, i am simplifying massively for you know
taking to a camera
and if you are in web programming, you should lookup the recent security guidelines of what you should do etc etc etc.
but
this is what you should be using
because right now
if you're not using prepared statement s it take one mistake
anywhere in your application one thing where you forgotten to put a quote mark in
or mess it up in some subtle way that it uses Unicode character, something wonderfully complicated
particularly if you're using Microsoft database
that's
for someone that uses Windows
um..
if you are not using prepared statements, you are venerable
and you need to fix that
but in the mean time, attacks go
there are worse ones