What is SQL Injection & What are steps to fix it ? – most common problems of e-commerce sites

SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS). Since an SQL Injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.

How SQL Injection works

In order to run malicious SQL queries against a database server, an attacker must first find an input within the web application that is included inside of an SQL query.

In order for an SQL Injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement. An attacker can then insert a payload that will be included as part of the SQL query and run against the database server.

The following server-side pseudo-code is used to authenticate users to the web application.

app_user_name      = request.POST[‘username’]
app_user_passwd  = request.POST[‘password’]

# SQL query vulnerable to SQLi

sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”

# Execute the SQL statement database.execute(sql)


The above script is a simple example of authenticating a user with a username and a password against a database with a table named users, and a username and password column.

The above script is vulnerable to SQL Injection because an attacker could submit malicious input in such a way that would alter the SQL statement being executed by the database server.

A simple example of an SQL Injection payload could be something as simple as setting the password field to password’ OR setting an inner query to (delete * from users) 

This would result in the query to be executed and data can be corrupted or manipulated.

What’s the worst an attacker can do with SQL?

SQL is a programming language designed for managing data stored in an RDBMS, therefore SQL can be used to access, modify and delete data. Furthermore, in specific cases, an RDBMS could also run commands on the operating system from an SQL statement.

Below are few things an attacker can inflict serious trouble to any organisation :

  • An attacker can use SQL Injection to bypass authentication or even impersonate specific users.
  • One of SQL’s primary functions is to select data based on a query and output the result of that query. An SQL Injection vulnerability could allow the complete disclosure of data residing on a database server.
  • Since web applications use SQL to alter data within a database, an attacker could use SQL Injection to alter data stored in a database. Altering data affects data integrity and could cause repudiation issues, for instance, issues such as voiding transactions, altering balances and other records.
  • SQL is used to delete records from a database. An attacker could use an SQL Injection vulnerability to delete data from a database. Even if an appropriate backup strategy is employed, deletion of data could affect an application’s availability until the database is restored.
  • Some database servers are configured (intentional or otherwise) to allow arbitrary execution of operating system commands on the database server. Given the right conditions, an attacker co

An SQL Injection needs just two conditions to exist – a relational database that uses SQL, and a user controllable input which is directly used in an SQL query.

In the example below, it shall be assumed that the attacker’s goal is to exfiltrate data from a database by exploiting an SQL Injection vulnerability present in a web application.

Example on how to avoid SQL Injections 

Default Example : 

String name = //user input 
int age = //user input 
Connection connection = DriverManager.getConnection(...); 
PreparedStatement statement = connection.prepareStatement( "SELECT * FROM people WHERE lastName = ? AND age > ?" ); 
statement.setString(1, name); //lastName is a VARCHAR 
statement.setInt(2, age); //age is an INT 
ResultSet rs = statement.executeQuery(); 
while (rs.next()){ //... }

Now the above code can be violated by executing like name = (update employee set password=’123′)   or name = ‘delete * from employee’   – this could completely put things at a toss

Safer Approach :

List<Person>; people = //user input

Connection connection = DriverManager.getConnection(…);



             PreparedStatement statement = connection.prepareStatement( “UPDATE people SET lastName = ?, age = ? WHERE id = ?”);
for (Person person : people)
statement.setString(1, person.getLastName());
statement.setInt(2, person.getAge());
statement.setInt(3, person.getId());
statement.execute(); }

catch (SQLException e)

So these design and coding principles have  to applied during intial phase of the project so every sprint or every iteration code gets better and better.

-Tech Team from Techuva Solutions 

6 Developer Friendly Ways To Strengthen Web Application Security


6 Developer friendly methods for better Application Security :


Nobody wants their Web application to get hacked even in their dreams, But there is more than 100+ breaches happening any given hour world wide. Here’s how to get serious about secure apps development.
1. User inputs are the first weak link  Everybody should understand that user inputs are not your friend,” Today, many sites accepts many different types of content from users, including text, images, and uploadable attachments. But all of that user-supplied content also can be used by a crafty hacker to try and exploit the underlying Web application. Accordingly, “the more user input you’re going to be collecting, the more work that will potentially need to be going into securing this input,” This means Developers should make things better enforced.


2. Understanding vulnerabilities which can compromise thingsHere is the most common list of vulnerabilities :Crucial ones are : SQL Injection , Cross Site Scripting (especially with MicroSevices and Webservices) this poses as the #1 risk.

OWASP Web Top 10 for 2013.png


3. Don’t customise security It’s very essential to have the list of approved security controls that will mitigate every exploit in the OWASP top 10, Now the top 10 is not an exhaustive list of vulnerabilities, but if you do that, you’ve at least gotten your fundamentals straightened out


4. Applying security controls consistently

        Rule 1 : To be secure, we have got to be consistent. An attacker, only have to find the one place where you don’t have a security control, and that’s the one place you’ll be attacked.” Preventing that from happening means applying security throughout the development of your software, “and that requires securing the software development lifecycle, or SDLC. Tools like HP Fortify , SonarQube helps to find vulnerabilities during development stage itself.


5. Share the best practice Key to succeess is not having to re-invent the wheel everytime a team is doing a new project, Common Security Practices have to templatized and be used company wide, Security CoEs ( Centre of Excellence) of Focus Groups helps to share the knowledge.


6. Security Controls in Open Sources / Different Languages Every Programming language is different and so are the security controls too. That goes for PHP, Java, .NET, or any other language being used. Each has its nuances, and some will offer better out-of-the-box security, but the important step is to ensure that everyone involved in building and approving a Web application understands how to stop exploits such as SQL injection and cross-site scripting attacks, and has the right development or code-checking tools to help.
Success to web-application security starts from the design phase. “It is not a separate module” – it’s part of every function, modules and query !

–  by Techuva Solutions Pvt Ltd