[Security] Quick Fix To Prevent SQL Injections
Lecture Transcript - [Security] Quick Fix To Prevent SQL Injections
In this lecture, we're going to go and have a look on the high security level and we'll see why it's
an injectable.
So let's go ahead first and set the security level too high.
Now, I'm going to go back to my school injection.
And let's make sure that the page works first, so I'm just going to put no one like we always did.
And as you can see now, the page works.
Now let's try to inject it after the one after the ID parameter like we always did, and I am going
to pull it.
And one is equal to one sample and a true statement.
And as you can see now, the page does not really work.
So let's try to put a single quote here to close it like we did with the lower level.
And again, this injection doesn't work either.
Even though we're given a true statement that shouldn't interfere with the current request.
We usually don't look at the code when we're trying to hack.
But as I said, this is an injectable.
So let's have a look on the code and we're going to compare it with the code used for the medium security
level.
And we'll see what the difference is between the two codes so that we can learn how to secure our website.
So I'm going to change the security level to medium here just so that we can compare the two codes and
are going to go back to the Ezekial injection.
And I'm going to view the source as well.
And God put them beside each other.
So in here, in the medium security level, you can see that the ID is being read in here and it's being
stored in the ID variable, and then they're using a function called My Ezekial the Real Escape.
So what this function does, it will go through every character in the ID variable and will look for
a special character such as single quotes and double quotes and remove them.
Therefore, any quotation marks used or injected in the idea variable will actually be removed at this
line because of the use of the mask, the real escape string.
Now, the thing is, once we go down to the squad statement, you'll see that we actually don't need
to use any quotes to inject code into the statement.
So our statement is select first name, last name from users where user ID is equal to ID.
So we actually don't need to close any quotes.
We don't need to inject quotes in the ID variable.
All we have to do is just put any idea like we did in the last video so we can put just number one and
then inject code straight away after the number one.
So when we use this code right here, we're basically we we didn't use the quotes in the media.
So we are literally just giving the idea as number one and then we're saying union select column name,
whatever from information schema tables.
So the code is just being injected straight away after the ID.
And then the database will read it and execute it.
No need to use quotes again because the code doesn't use any single quotes.
So the code just says user I.D. is equal to it.
Now, comparing this with the code that we have for the high security level, you'll see that it uses
the same function to keep special characters, but it's implemented in the right way.
And that's by using single quotes in the school statement around the ID.
Therefore, because the code is keeping the quotes that we put and because they're using quotes in there,
any code that we try to inject in here will actually be considered as if it's part of the idea.
So when we use this code right here, so if we just use the code as it is without a quote, then obviously
it will just be inserted instead of the idea variable between the two single quotes.
So it'll just be considered as the idea.
Whereas if we inject that code in here, it will actually be executed as part of the Ezekial statement.
So let's have a look on what the actual statement will look like when we inject our code in both in
the medium and in the high security level.
So I'm just going to bring down the text here.
So we have this statement for the medium here.
And the Ezekial statement for the high security level and we'll just try to inject and one is equal
to one because as we've seen, if you can inject that, then you can inject anything you want really
and get it executed on the database.
OK, so looking at the medium statement.
We're going to copy this code now.
This code will actually go and pass through the MySQL real Escape character, so it will be removed
from any single code that it has, but it has nothing.
And the code will look like one and one is equal to one.
So this statement is valid and one is equal to one will be injected.
Now, looking at the high security level.
Notice the use of the single quotes, which will mean that the user ID is equal to one and one is equal
to one.
So and one is equal to one will not be considered as part of the Ezekial statement, but it will be
considered as part of the user ID.
Now, let's try to add the single quote and see what effect would that have on the Ezekial statement?
I'm actually going to get rid of this statement because we managed to inject it and we're only going
to focus on the highs in the statement used in the high security level.
So we're using a single quote here to close it and we're going to copy this.
Now, this will actually pass through the and real escape strength.
So the single quote that we're using here will actually be removed and this line will become.
One and one is equal to one, so it's going to be equal or exactly the same as the line we used before.
Now, once this is substituted in here, again, the one and one is equal to one will be considered
as part of the issue of the user ID and it won't be considered as part of the Ezekial statement.
From this we can see that the use of the Maisky are the real SCAP.
Strange is not enough.
It has to be used with the single quotes right here.
And combined with that function, then this specific Ezekial and statement becomes an injectable.
Now, in future lectures, we're actually going to discuss a better way to build Web applications so
that they can't be injected with Ezekial statements, but if you needed a quick solution, then you
can go for this until you have time.
Then you can change the implementation of your website so that it can't be injected.