Lecture 20: SQL Injection

Intro to Web Security Attacks

Code Injection

What does each part of the special input 2+3); system('rm *.*' do? Why don’t we include a closing parentheses at the end?

Intro to SQL Injection

SQL Review

Note: If you feel comfortable with basic SQL (SELECT statements, WHERE clauses, inserting and deleting entries from tables, DROP TABLES), feel free to skip this video and refer back to it as needed.

Consider the Customer table with AcctNum, Username, and Balance fields. Write a query to output the usernames of all accounts with balance greater than or equal to 10.

SQL Injection Example

What SQL query is executed when the attacker inputs alice'; SELECT * FROM Customer;'? Why is each part of this input necessary to avoid a syntax error?

Real-world SQL Injection Attacks

Another SQL Injection Example

Can an attacker exploit this query to learn the password of the admin user? If yes, write a malicious input that would leak the password. If no, explain why.

Defense: Input Escaping

Consider an escaping function that takes user input and replaces all instances of a single quote ' with the escaped version \'. Can an attacker still craft a malicious input using a single quote? If yes, write a malicious input that would bypass this escaping function. If no, explain why.

Defense: Parameterized SQL

(True/False) Parameterized SQL defends against all SQL injection attacks.


After finishing this lecture, you should be able to complete Q2 on Homework 6.