Bugs: Killing databases from a distance
There’s a world of stupid reasons why programs crash and there’s an equally big list of ways in which bad code can lead to security flaws. And because I thought it would be interesting (for me, at least) I thought I would write about them.
Today’s flaw of choice has the foxy name of the SQL injection attack. It pops up wherever a database is used to store information - most often in complex web sites.
Databases and accessing them
So lets deal with the background first. SQL is a relatively simple language used for querying databases. Let’s pretend we have a database that looks like this, which holds the agents from the fictional organisation UNCLE:
| agents | |=====================================| | user | name | password | |-------------------------------------| | ik | Illya Kuryaken | secret | | ns | Napoleon Solo | notell | | aw | Alexander Waverly | 007bond |
Getting a list of all the agents in UNCLE, for example, would be done like:
SELECT name FROM agents;
And that’s it. The database will quick as a flash come back with the short list of all the names. Let’s hope THRUSH never get access to this database!
The interesting thing about SQL is that it allows the programmer to string a whole load of commands together. The following line will fetch a list of names from the database and then delete the list of agents from the database.
SELECT name FROM agents; DROP TABLE agents;
This is obviously quite a powerful thing to do and not something you want, for example, outside users to do…
SQL injection
Of course in this modern world our agents want to check their email from exotic locations around the world, so UNCLE runs a webmail system for them. When an UNCLE agent types their username into the browser the application will send a query like this to the database:
SELECT password FROM agents WHERE user = "$person";
The text marked $person is replaced with their username. This will return the password of the person trying to log in. Let’s say I try to log in as Illya Kuryakin, having watched over his shoulder what his username was. I type ik as my username and the above line goes through as:
SELECT password FROM agents WHERE user = "ik";
This is a typical, and dangerous, way of doing things. If a wily THRUSH agent visits the site and puts in the user name of "; DROP TABLE agents; " all sorts of horrors are unleashed:
SELECT password FROM agents WHERE user = ""; DROP TABLE agents; "";
Not good. Suddenly anyone can drift past and delete databases, change passwords or just log in without adequate authorisation. I’ll leave those other examples for Wikipedia to explain.
And that is SQL injection, since arbitrary (and potentially dangerous) code can be injected into the middle of innocuous statements.