I was reading about sql injection and i understand how it works if there is a form where the user can enter his username and login. What i dont get is how websites without a login page can be vulnerable to sql injection.
http://thecybersaviours.com/how-to-find-out-if-a-website-is-vulnerable-to-sql-injection
It says just append a ' or ''=' to test it. I dont understand how this helps to determine whether an error exists. Where is the query being constructed at all.
This question is related to
sql
The easiest way to protect yourself is to use stored procedures instead of inline SQL statements.
Then use "least privilege" permissions and only allow access to stored procedures and not directly to tables.
SQL Injection can be done on any input the user can influence that isn't properly escaped before used in a query.
One example would be a get variable like this:
http//www.example.com/user.php?userid=5
Now, if the accompanying PHP code goes something like this:
$query = "SELECT username, password FROM users WHERE userid=" . $_GET['userid'];
// ...
You can easily use SQL injection here too:
http//www.example.com/user.php?userid=5 AND 1=2 UNION SELECT password,username FROM users WHERE usertype='admin'
(of course, the spaces will have to be replaced by %20, but this is more readable. Additionally, this is just an example making some more assumptions, but the idea should be clear.)
A login page isn't the only part of a database-driven website that interacts with the database.
Any user-editable input which is used to construct a database query is a potential entry point for a SQL injection attack. The attacker may not necessarily login to the site as an admin through this attack, but can do other things. They can change data, change server settings, etc. depending on the nature of the application's interaction with the database.
Appending a ' to an input is usually a pretty good test to see if it generates an error or otherwise produces unexpected behavior on the site. It's an indication that the user input is being used to build a raw query and the developer didn't expect a single quote, which changes the query structure.
Keep in mind that one page may be secure against SQL injection while another one may not. The login page, for example, may be hardened against such attacks. But a different page elsewhere in the site might be wide open. So, for example, if one wanted to login as an admin then one can use the SQL injection on that other page to change the admin password. Then return to the perfectly non-SQL-injectable login page and login as the admin.
Any input from a client are ways to be vulnerable. Including all forms and the query string. This includes all HTTP verbs.
There are 3rd party solutions that can crawl an application and detect when an injection could happen.
The test has to be done on a page that queries a database so yes typically that is a login page because it's the page that can do the most harm but could be an unsecure page as well.
Generally you would have your database queries behind a secure login but if you just have a listing of items or something that you don't care if the world sees a hacker could append some sql injection to the end of the querystring.
The key with SQL Injection is the person doing the injection would have to know that your querying a database so if your not querying a database then no sql inject can be done. If your form is submitting to a database then yes they could SQL Inject that. It's always good practice to use either stored procedures to select/insert/update/delete or make sure you prepare or escape out all the statements that will be hitting the database.
Source: Stackoverflow.com