Lecture 20: SQL Injection
Intro to Web Security Attacks
What does each part of the special input
2+3); system('rm *.*' do? Why don’t we include a closing parentheses at the end?
Intro to SQL Injection
Note: If you feel comfortable with basic SQL (
WHERE clauses, inserting and deleting entries from tables,
DROP TABLES), feel free to skip this video and refer back to it as needed.
Customer table with
Balance fields. Write a query to output the usernames of all accounts with balance greater than or equal to 10.
SQL Injection Example
What SQL query is executed when the attacker inputs
alice'; SELECT * FROM Customer;'? Why is each part of this input necessary to avoid a syntax error?
Real-world SQL Injection Attacks
Another SQL Injection Example
Can an attacker exploit this query to learn the password of the
admin user? If yes, write a malicious input that would leak the password. If no, explain why.
Defense: Input Escaping
Consider an escaping function that takes user input and replaces all instances of a single quote
' with the escaped version
\'. Can an attacker still craft a malicious input using a single quote? If yes, write a malicious input that would bypass this escaping function. If no, explain why.
Defense: Parameterized SQL
(True/False) Parameterized SQL defends against all SQL injection attacks.
After finishing this lecture, you should be able to complete Q2 on Homework 6.