Incorrectly filtered escape characters

This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into a SQL statement. This results in the potential manipulation of the statements performed on the database by the end user of the application.
The following line of code illustrates this vulnerability:

statement := “SELECT * FROM users WHERE name = ‘” + userName + ‘;”                          
If the “userName” variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the “userName” variable as a’ or ‘t’='t
renders this SQL statement by the parent language:

SELECT * FROM users WHERE name = ‘a’ or ‘t’='t’;                                                       
If this code were to be used in an authentication procedure then this example could be used to force the selection of a valid username because the evaluation of ‘t’='t’ is always true.                                                                                                                             
Theoretically any valid SQL command may be injected via this method, including the execution of multiple statements. The following value of “userName” in the above statement would cause the deletion of the “users” table as well as the selection of all data from the “data” table:

a’;DROP TABLE users; SELECT * FROM data WHERE name LIKE ‘%
This input renders the final SQL statement as follows:

SELECT * FROM users WHERE name = ‘a’;DROP TABLE users; SELECT * FROM data WHERE name LIKE ‘%’;

Incorrect type handling                                                                                                             
This form of SQL injection occurs when a user supplied field is not strongly typed or is not checked for type constraints. This could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric. For example:

statement := “SELECT * FROM data WHERE id = ” + a_variable + “;”
It is clear from this statement that the author intended a_variable to be a number correlating to the “id” field. However, if it is in fact a string then the end user may manipulate the statement as they choose, thereby bypassing the need for escape characters. For example, setting a_variable to

1;DROP TABLE users
will delete the “users” table from the database as the rendered SQL would be rendered as follows:

SELECT * FROM data WHERE id = 1;DROP TABLE users;

Database

Share This