Demo On SQL Injection

Demo on SQL Injection Attack

 
SQL Injection is one of the cyber security vulnerabiliies that helps an attacker access the data from the database without having the proper credentials. This article explains step by step process to understand this attack.
 
In this article I have used the following software for this demonstration.
 
Eclipse Java Oxygen – To design a web page and Java Servlet
 
My SQL - To create a database and store the values in the table.
 
Step 1
 
Create a table and  login to the My Sql with the following fields as shown in figure 1.
 
Demo On SQL Injection
 Fig 1: Login Table created in My Sql
 
Step 2
 
Design the Web Page using HTML in Eclipse as follows.
 
Demo On SQL Injection
 Fig 2: Sample Web page
 
Step 3
 
In the Java Servlet we have to write the code for Database connectivity. Here is the sample snippet in figure 3.
 
 Demo On SQL Injection
Fig 3: Sample Snippet for Database Connectivity
 
Step 4
 
Once we execute with the proper input the program works properly as follows.
 
 Demo On SQL InjectionDemo On SQL Injection
Fig 4: Testing with actual inputs
 
Step 5
 
This is the time to perform SQL Injection. Let’s see how this function works. Here we have two input fields named User name and password. These fields are vulnerable. Because the attacker can give some tricky statement such that he can bypass the database server even if the password does not match. For an example, if the user gives the input in the password field as follows 'or '1'='1 then irrespective of any input you have given in the Username field the result always shows Success.
 
Because of OR 1=1 statement in the where clause it always returns True. So this way any attacker can play with the sql statement that we thought was unbreakable. This is called SQL Injection.
 
Demo On SQL InjectionDemo On SQL Injection
Fig 5: Testing with SQL Injection inputs
 

How to prevent SQL injection?

 
The only way to prevent SQL Injection attacks are by using parameterized queries that includes prepared statements. The application code should not get by the user input directly. The above sql statement snippet can be changed as follows to prevent sql injection.
 
Demo On SQL Injection
Fig 6: Modified way to prevent SQL Injection.