Preface
The internet is everywhere, and it is critical for our social and economic life, period.
Our communication capabilities, the water that we drink every day, the energy that gives us light during the night and fuels the objects that makes our life better (such as washing machines), transportation, and the financial world are totally dependent on interconnected systems. These systems, in most cases, use software to manage data stored in databases, software that's accessible, normally, not only from internal but also external networks. This causes the most critical security problems.
There is an attack every 39 seconds on average on the web, 30,000 new websites are hacked every day, and hackers steal 75 database records every second. Cyber-attackers have several vectors for breaking into web applications, but SQL injection continues to be by far their most popular choice. Akamai's State of the Internet report shows that SQL injection now represents nearly two-thirds (65.1%) of all web application attacks.
We hope that, with this book, developers will be able to build more secure systems and security testers will find, in the early stage of development, vulnerabilities that might lead to SQL injection.
Who this book is for
This book is designed for two types of readers. It's primarily aimed at anyone who has basic programming experience (doesn't matter if it's in the mobile, web, or backend domain) and wants to add more value to their work with security capabilities for building more resilient software. Security practitioners are the second group for whom this book is designed. Using the information contained in this book, they will be able to better understand some of the most critical vulnerabilities that are used, every day, to hack systems around the world.
This book follows a step-by-step approach; anyone can learn effective techniques to build highly secure software or a better application testing security posture, even when working on new topics, such as mobile and IoT.
What this book covers
Chapter 1, Structured Query Language for SQL Injection, serves as a theoretical introduction to the topic, describing at a high level what SQL is, what it is used for, and its possible weaknesses that lead to SQL injection. This theoretical overview is crucial in order to understand concepts behind SQL injection such as database management systems, database models, and SQL.
Chapter 2, Manipulating SQL – Exploiting SQL Injection, continues with the theoretical approach to the topic, getting more in touch with the practical aspects of SQL injection attacks. This chapter includes examples of input strings that could be used to trigger SQL injection for many different purposes.
Chapter 3, Setting Up the Environment, covers the setup of the test environment that will be used in the core of the practical elements of this book, while also defining the main approach behind it.
Chapter 4, Attacking Web, Mobile, and IoT Applications, deals, primarily, with SQL injection against traditional web applications, which is the most common context, using both manual and automated techniques, relying on the toolset we discuss in the previous chapter. We will see, moreover, how mobile applications and IoT devices can also be vulnerable to SQL injection attacks, showing practical examples.
Chapter 5, Preventing SQL Injection with Defensive Solutions, focuses on the defensive side of things: now that we know that such an impressive and destructive type of vulnerability exists – and how simple in principle it would be to exploit it – how can we stop it?
Chapter 6, Putting It All Together, serves as a review of what you learned in this book by summarizing and analyzing what we've seen, putting everything in a critical perspective and considering the broader implications not only of SQL injection, but also of security vulnerabilities in general, in a world that relies on information technology and data.
To get the most out of this book
In order to properly follow what is presented in the book, you will need only a PC; it doesn't matter what operating system is installed. Further requirements will be explained in detail in the book, step by step. However, any knowledge regarding Java and Android development and SQL syntax would be useful.
The installation of the necessary software will be discussed in the book when needed, and involves the following:
- An Android development environment (Android Studio IDE, Android SDK—API Level 30 and an Android Virtual Device)
- Apache Tomcat 9.0
- MySQL 8.0 (Development Suite)
- Java Development Kit (14.0.1)
- Eclipse (IDE for Enterprise Java Developer)
If you are using the digital version of this book, we advise you to type the code yourself or access the code via the GitHub repository (link available in the next section). Doing so will help you avoid any potential errors related to the copying/pasting of code.
Download the example code files
You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.
You can download the code files by following these steps:
- Log in or register at www.packt.com.
- Select the Support tab.
- Click on Code Downloads.
- Enter the name of the book in the Search box and follow the onscreen instructions.
Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:
- WinRAR/7-Zip for Windows
- Zipeg/iZip/UnRarX for Mac
- 7-Zip/PeaZip for Linux
The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/SQL-Injection-Strategies. In case there's an update to the code, it will be updated on the existing GitHub repository.
We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
Code in Action
Code in Action videos for this book can be viewed at https://bit.ly/3fioIHt.
Download the color images
We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781839215643_ColorImages.pdf.
Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Let's try the infamous ' or 1=1 -- - string in the username field…"
A block of code is set as follows:
<soapenv:Header/>
<soapenv:Body>
<urn:getUser soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<username xsi:type="xsd:string">username_here</username>
</urn:getUser>
</soapenv:Body>
</soapenv:Envelope>
Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Click on the Create New Virtual Machine button and complete the settings in the wizard."
Tips or important notes
Appear like this.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at customercare@packtpub.com.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at copyright@packt.com with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Reviews
Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!
For more information about Packt, please visit packt.com.