I was looking through some coding standards at my work and I came across this:
string query = "SELECT * FROM USERS WHERE USER_ID='" + userIdFromWebPage + "'";
userIdFromWebPage is a variable that contains untrusted data that has not been validated.
Imagine that it contains one of the following:
- "' or 1=1 -"
- "' ;DROP TABLE users -"
- "' ;exec xp_cmdshell(''format c:') -"
The final query could look like this.
string query = "select * FROM USERS WHERE USER_ID='';exec xp_cmdshell('format c:') -";
This results in a format of the c:\ drive on the database server.
Is that actually true?
The real question is
can that code be used for SQL Injection?and the answer is absolutely yes. The days of vandals who would format your drive just to spread mayhem are long gone, nowdays the attacks are mounted by individuals interested in financial gain, they will usually use the SQL injection vector usually to add your host to their botnet, sometimes to steal information you may have, sometimes to take your data hostage and ask for ransom (encrypt it and ask for compensation for decryption). So they will unlikely issue aformat c:.Can
xp_cmdshellbe used to issue a command likeformat c:? Not by default, ever since SQL 2005 the engine disablesxp_cmdshellby default and an administrator has to explicitly enable it back. But if it is enabled, can it be used? Yes. Will the OS format the c: drive? Unlikely. No OS around today accepts a format of the system volume.But ultimately the point is that your code should not allow for SQL injection.