I'm coming from an Oracle world where I can use DBMS_SQL for dynamic SQL with an unknown number of bind variables. Apparently this is not possible in MySQL. So my question is how do you protect against SQL Injection in MySQL? I thought this would be easy to lookup but every example I find is with PHP & MySQL. I'm only dealing with MySQL stored procedures, no PHP. Here is a snippet:
set #sql_string=concat(#sql_string,'col1=''',someRandomText,''' where col2=''',moreRandomText,''';');
Is there a protection function that could be applied to someRandomText to prevent SQL Injection (http://bobby-tables.com/)?
Thanks!
Related
I have an insert query that I want to execute using the JavaScript V3 AWS client, against an AWS Aurora MySQL Serverless database. I am using the Data API of the database. I got the #aws-sdk/client-rds-data set up in my code and I can connect and execute arbitrary SQL queries using the ExecuteStatementCommand.
What I would like to know is that how I make SQL prepared statements and execute them. I have an INSERT query whose values are user provided. I cannot just concatenate those values into the SQL query as it would create an SQL injection vulnerability.
Unfortunatelly, I couldn't find how to make prepared statements and execute them in the #aws-sdk/client-rds-data package's documentation.
If somebody knows how to do it, could that someone please explain. Big thanks in advance!
I'm not a user of the AWS SDK for client-rds-data, but I'm inferring the following from the documentation, and my own knowledge of MySQL.
I see that interface ExecuteSqlCommandInput has a property sqlStatements, which allows multiple SQL statements separated by semicolons. This precludes the use of query parameters, because in MySQL you can't use prepare() on a string that includes multiple SQL statements.
Whereas ExecuteStatementCommandInput has a property sql (a single statement) and a property parameters which is an array of scalar parameters (i.e. each scalar corresponds to one parameter placeholder in the sql string). This should allow you to run a parameterized SQL query.
Re your comment: When you said you wanted to use prepared statements to avoid SQL injection vulnerabilities, I assumed you understood how prepared statements protect against those vulnerabilities.
In fact, using prepared statements alone is not a defense. You have to separate dynamic inputs from your SQL query by using query parameters. It just happens that using query parameters requires using prepared statements, so people say "use prepared statements" to defend against SQL injection, when they should say "use query parameters, which implies you must use prepared statements."
Tutorials about using SQL with query parameters are abundant. Here's one for Node.js: https://www.veracode.com/blog/secure-development/how-prevent-sql-injection-nodejs
The calling convention for the AWS SDK is different, but the concept is the same. I have only found reference documentation for AWS SDK, no code examples or task-oriented documentation. This is disappointing but unfortunately typical for AWS.
I need to convince someone that he needs to sanitize the user input in addition to the user of stored procedures. well I know I sound crazy but I do not feel comfortable enough with store procedures only. My first reason is that I am able to cause errors in the stored procedure but because of the fact that the application itself handles errors such that error messages are coded it is difficult for outside to understand the what there are. but I still think that this is not secure.
Does any one has a suggestion ? or am I wrong to doubt stored procedures?
No it's not safe on it's own. You can also do in a stored procedure something like this:
SET #sql = 'Select * from products where name like ''' +#spinput+''' ';
exec(#sql);
With the wrong value in #spinput you can inject code.
However you can write stored procedures that are safe against sql injection.
Even if you use proper parameters, you can still mess with the database. You could insert a script that goes in as a parameter, but when it's displayed on a web page starts doing something it shouldn't. Use parameters to ensure your database is used as intended, but also sanitize the output later - never trust user-entered data.
Using stored procedures normally protects against SQL injection, but is not the only solution to prevent SQL injections, and it doesn't protect against all forms of SQL injection.
It's not the stored procedure itself that makes the big difference, but parameterised queries, which is the most common way to call a stored procedure. By putting the values used by the query in parameters, you let the database library handle them instead of having to escape them correctly yourself.
It's possible to write code that is safe against SQL injections without using parameterised queries, but it's difficult. You have to know exactly what characters you need to escape in a string for the specific database that you are using, and if you get it wrong you are pretty much as unprotected as if you didn't know about SQL injections at all.
If you use parameterised queries, then the step of sending the values into the database is safe from SQL injection, but the query itself might not be. If the query generates and executes SQL code itself, you have the same problem with escaping strings correctly. It's however not so usual to create SQL code in the SQL code, and if you do it you are very aware of that you are doing it.
All of the examples I've found show how to use query by sql statement, as: 'connection.query("select * from my_table",...)', but I want to do it without sql statement, but with store procedure.
I found something about 'db-mysql' that supplies this option but I didn't success installing it.
I don't want to use sql statement in my code.
I want to select, update etc. by stored procedures in my mysqldatabase (like C#).
How can I do it?
Checkout http://sequelizejs.com/ it is a node compatible orm which allows you to easily interface with sql without needing to use sql statements.
I prefer to use prepared statement but i'm studiyng defense techniques from SQL injection. I've read that stored procedures are used to limit the database privileges allowing only the execution privilege on the procedures but in some cases can be used to avoid sql injection.
Someone can give me an example using mysql?
Stored procedures has absolutely nothing to do with injections.
To protect from injection, you have to format your SQL properly, be it SELECT query, a procedure call or anything. That. Is. All.
Recently one of our client's websites fell prey to a SQL Injection attack due to a failure to sanitize query string parameters provided to the page. The vulnerable code has since been identified and is being corrected, but it got me wondering about some of the differences between how MySQL and SQL Server process multi-query strings.
The vulnerable code is used on several dozen websites, two of which are are running on SQL server while the rest are on MySQL. With this code we have never before suffered an injection attack (by the grace of God), but once we released the two websites that are running on SQL server (with the same code base) the website was quickly exploited. The method of injection was quite simple:
page.asp?param=1;delete from [some_table];
Like I said, the vulnerable code is shared across many websites, but if I try to execute the same type of injection on our MySQL sites ASP throws up a nice Server Error letting us know that there was an error in the query:
SELECT * FROM Table1 WHERE ID = 1;DELETE FROM TABLE1;
Testing this further I was able to verify that the MySQL ODBC 3.51 Driver will not allow two SQL queries to be executed in the same statement when an ADODB.Connection object calls Execute(""), while SQL Server Native Client (10.1) doesn't have any problem running two side-by-side queries. Is this in fact just a configuration of the provider that makes SQL server vulnerable in this fashion while MySQL is not, or does this stem from somewhere else?
The MySQL client API does not permit multi-queries by default. You have to enable this explicitly, or else you'll get errors when trying to execute a query like you saw. This is a good thing for reducing risk of SQL injection attacks.
The MySQL ODBC driver 3.51.18 (August 2007) added support for a connect option FLAG_MULTI_STATEMENTS to enable multi-statements. See http://dev.mysql.com/doc/refman/5.1/en/connector-odbc-configuration-connection-parameters.html.
See also http://bugs.mysql.com/bug.php?id=7445 for the history of this option.
Also see my answer to "Mysql change delimiter for better SQL INJECTION handling?" Note that multi-statements is only one way to get an SQL injection vulnerability. Disabling multi-statements is not a 100% proof against these flaws.
It's a feature of SQL server that it supports multiple statements on a line. The solution is not so much to sanitize the input, as to use parameterized queries or stored procedures. If the query had been
SELECT * FROM Table1 WHERE ID = #id
Then passing "1;DELETE FROM TABLE1;" would have produced an error, since that's not a valid integer value.
I think this happened because SQL Server supports MARS. As far as I understand MySQL does not support this. Mars is a good feature to speed up database queires so there are fewer round trips. you can put more then one query in a sql statement.
It is possible to exploit SQL injection without stacking queries. A very common method is to use a "Union Select"
Here is a mysql injection exploit that I have written which uses a union select:
http://milw0rm.com/exploits/3002
A union select allows you make a select statement within other statement:
select 1 union select Password from mysql.user
You can also do a sub-select:
insert into sometable (some,col,id) values ((select Password from mysql.user),1,1)-- )
Blind sql injection works on all platforms, however depending on the database the exploit will be different. This is a blind SQL Injection exploit for mysql:"
milw0rm.com/exploits/4547
This is a very good paper on the topic of SQL Injection for MySQL:
www.ngssoftware.com/papers/HackproofingMySQL.pdf