Github Printable

Query Injection

Query injection occurs when an attacker causes a query sent to a database or other backend to have a structure that differs from that the developer intended.

connection.query(
    'SELECT * FROM Table WHERE key="' + value + '"',
    callback);

If an attacker controls value and can cause it to contain a single quote, then they can cause execution of a query with a different structure. For example, if they can cause

value = ' " OR 1 -- two dashes start a line comment';

then the query sent is SELECT * FROM Table WHERE key=" " OR 1 -- ... which returns more rows than intended possibly leaking data that the requester should not have been able to access, and may cause other code that loops over the result set to modify rows other than the ones the system's authors intended.

Some backends allow statement chaining so compromising a statement that seems to only read data:

value = '"; INSERT INTO Table ...  --'

can violate system integrity by forging records:

' SELECT * FROM Table WHERE key="' + value + '" ' ===
' SELECT * FROM Table WHERE key=""; INSERT INTO Table ... --" '

or deny service via mass deletes.

Query injection has a long and storied history.

Query Injection

Query Injection

results matching ""

No results matching ""