How does the SQL injection from the "Bobby Tables" XKCD comic work?

security sql-injection validation

Solution 1:

It drops the students table.

The original code in the school's program probably looks something like

q = "INSERT INTO Students VALUES ('" + FNMName.Text + "', '" + LName.Text + "')";

This is the naive way to add text input into a query, and is very bad, as you will see.

After the values from the first name, middle name textbox FNMName.Text (which is Robert'); DROP TABLE STUDENTS; --) and the last name textbox LName.Text (let's call it Derper) are concatenated with the rest of the query, the result is now actually two queries separated by the statement terminator (semicolon). The second query has been injected into the first. When the code executes this query against the database, it will look like this

INSERT INTO Students VALUES ('Robert'); DROP TABLE Students; --', 'Derper')

which, in plain English, roughly translates to the two queries:

Add a new record to the Students table with a Name value of 'Robert'

and

Delete the Students table

Everything past the second query is marked as a comment: --', 'Derper')

The ' in the student's name is not a comment, it's the closing string delimiter. Since the student's name is a string, it's needed syntactically to complete the hypothetical query. Injection attacks only work when the SQL query they inject results in valid SQL.

Edited again as per dan04's astute comment

Solution 2:

Let's say the name was used in a variable, $Name. You then run this query:

INSERT INTO Students VALUES ( '$Name' )

The code is mistakenly placing anything the user supplied as the variable. You wanted the SQL to be:

INSERT INTO Students VALUES ( 'Robert Tables` )

But a clever user can supply whatever they want:

INSERT INTO Students VALUES ( 'Robert'); DROP TABLE Students; --' )

What you get is:

INSERT INTO Students VALUES ( 'Robert' );  DROP TABLE STUDENTS; --' )

The -- only comments the remainder of the line.

Solution 3:

As everyone else has pointed out already, the '); closes the original statement and then a second statement follows. Most frameworks, including languages like PHP, have default security settings by now that don't allow multiple statements in one SQL string. In PHP, for example, you can only run multiple statements in one SQL string by using the mysqli_multi_query function.

You can, however, manipulate an existing SQL statement via SQL injection without having to add a second statement. Let's say you have a login system which checks a username and a password with this simple select:

$query="SELECT * FROM users WHERE username='" . $_REQUEST['user'] . "' and (password='".$_REQUEST['pass']."')";
$result=mysql_query($query);

If you provide peter as the username and secret as the password, the resulting SQL string would look like this:

SELECT * FROM users WHERE username='peter' and (password='secret')

Everything's fine. Now imagine you provide this string as the password:

' OR '1'='1

Then the resulting SQL string would be this:

SELECT * FROM users WHERE username='peter' and (password='' OR '1'='1')

That would enable you to log in to any account without knowing the password. So you don't need to be able to use two statements in order to use SQL injection, although you can do more destructive things if you are able to supply multiple statements.

Solution 4:

No, ' isn't a comment in SQL, but a delimiter.

Mom supposed the database programmer made a request looking like:

INSERT INTO 'students' ('first_name', 'last_name') VALUES ('$firstName', '$lastName');

(for example) to add the new student, where the $xxx variable contents was taken directly out of an HTML form, without checking format nor escaping special characters.

So if $firstName contains Robert'); DROP TABLE students; -- the database program will execute the following request directly on the DB: 

INSERT INTO 'students' ('first_name', 'last_name') VALUES ('Robert'); DROP TABLE students; --', 'XKCD');

ie. it will terminate early the insert statement, execute whatever malicious code the cracker wants, then comment out whatever remainder of code there might be.

Mmm, I am too slow, I see already 8 answers before mine in the orange band... :-) A popular topic, it seems.

Related

What is the most efficient way to deep clone an object in JavaScript?
Bind9 allow zones only as part of recursive resolution
static bindings in DHCP server
Keyboard oddities: backspace creating block square, H key deleting, most keys not working
An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {45FB4600-E6E8-4928-B25E-50476FF79425}
What causes SSH error: kex_exchange_identification: Connection closed by remote host?
Windows Server 2012 : Selected server has pending reboots and does not clear when rebooted
Why are CentOS mirrors HTTP and not HTTPS?
Apparently Robocopy does not understand Windows Server 2016 deduplication. Is there a way to make it work without corrupting the volume?
Why does Apache return a 400 "bad request" error when connecting to it with "openssl s_client" even though it sends TLS SNI
Does LVM need a partition table?
Is there a Linux kernel boot parameter to configure an IPv6 address?