Test Now: Is Your Web Site Or Web Application Vulnerable To SQL Injection Attacks?

Aafrin October 23, 2010 12

According to Wikipedia, SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.

In layman terms, the attacker can craft a specific URL within the domain of a website or web application and extract important information from the database such as database schema, column structures and records which contains vital information like user names and passwords. Some study suggests that more than 60% of Web applications that use dynamic content are likely vulnerable to these type of attack.

In order to test, if your website or web application is vulnerable to the attack, follow the simple instruction below:

1. Find an URL within your website or web application which looks in the similar format like below.

http://www.yoursite.com/page.php?id=1

2. Next, modify the URL by adding the sign ” ‘ ” without quotes either in front or behind the integer. Check the included example below as reference. Anyone of the examples included can be used.

http://www.yoursite.com/page.php?id=1'

or

http://www.yoursite.com/page.php?id='1

3. Load the modified URL into your browser and check the result. There will be two different result produced. The produced result will determine if the website or web application tested is vulnerable or not.

If the page loads without any error then your website or web application is most likely not vulnerable to the SQL Injection Attack. On the other hand, if there is any error shown on the page such as the one included or any other errors; then the page tested is vulnerable to the type of attack.

** SQL query failed **
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'something' at line 8

Once the page where the vulnerability has been found. It can be isolated and fixed. Here are some resources that touches on how to prevent SQL Injection Attack in web application’s.

Important note: modifying URL and testing doesn’t cause any harm to your database but I would recommend to backup all the files and database before doing the testing. In case anything goes wrong, one can recover the data from their backups.

12 Comments »

  1. Alam November 4, 2010 at 6:47 pm - Reply

    Great article, thanks for share.

    • Aafrin November 10, 2010 at 8:55 pm - Reply

      you are welcome…

  2. neo November 10, 2010 at 3:44 pm - Reply

    good one i appreciate for sharing

    • Aafrin November 10, 2010 at 8:56 pm - Reply

      no prbs, thanks for leaving comment…

  3. anehra63 November 12, 2010 at 4:58 pm - Reply

    Nice one thanks for sharing

  4. Omer Greenwald November 13, 2010 at 7:22 am - Reply

    Good read. WordPress deals with this vulnerability using functions like esc_html and wp_kses.

    • Aafrin November 22, 2010 at 8:05 pm - Reply

      thanks for the information.

  5. Vadim November 17, 2010 at 8:17 pm - Reply

    Short and clear , thanks.

    • Aafrin November 22, 2010 at 8:05 pm - Reply

      you are welcome… :)

  6. Avisek July 13, 2013 at 8:04 pm - Reply

    how i can check my site vulnerablity for sql injection when i am using POST method

    • Aafrin October 27, 2013 at 5:28 pm - Reply

      you can send specifically crafted input parameters to check if its vulnerable.

Leave A Response »