Question

In: Computer Science

Explain how the use of Prepared Statements prevents SQL injection attacks. Please give a commented code...

Explain how the use of Prepared Statements prevents SQL injection attacks.

Please give a commented code example, describing the difference between

data base access with and without the use of Prepared Statements (any

programming language may be used for illustration)

Solutions

Expert Solution

SQL injection,is a type of attack where the SQL statements are injected into the back end query,which changes the original purpose of the SQL statements post execution.

In general scenario,the complete SQL query is passed and the input values are read directly.
Prepared statements use question marks (?), which are placeholders for where actual values that needs to be input for the query execution,which at run time is replaced by actual user data.At run-time when the pointer reaches point where the user data needs to be entered,a Pre-Compiled Query is read from Cache and then the placeholders are replaced with user data,where the scope of changing the input data is 0.
  
Consider below java code which aims to select data from table by passing username ,password as "input parameters" to access the Accounts table.

Sample Code:

String query = "SELECT SSN,PARITY_ID FROM AccountsHolder "
+ "WHERE user=" + request.getParameter("username") +
"and password='" + request.getParameter("Password") + "'";
  
try
{
Statement statement = connection.createStatement(); //create the statemet which stores the sql
ResultSet rs = statement.executeQuery(query);
while (rs.next())
{
page.addTableRow(rs.getString("SSN"),
rs.getFloat("PARITY_ID"));
}
}
catch (SQLException e)
{}
The actual user input will be say user=123 and password='tiger'.So the above code upon execution implements this SQL
SELECT SSN,PARITY_ID
FROM AccouontsHolder
WHERE user=123 and password='tiger'

There is chance of SQL injection here,where we can add some conditions which will be always true to make the above username,password filter condition useless.
Ex: 2=2 ;is true always.
The SQL statement then becomes

SELECT SSN,PARITY_ID
FROM AccountsHolder
WHERE user=999 OR '2'='2' and password='junkvalue' OR '2'='2'
-----------------
Now using prepared statement code will be as below,where we use ? instead of passing direct values from user and setting condition as username should only be a integer .
so =1 OR 2=2 will fail here hence the injection will not work ,since OR is not integer

String query = "SELECT SSN,PARITY_ID " +
"FROM AccountsHolder WHERE user = ?
and password = ?";
  
try {
PreparedStatement statement = connection.prepareStatement(query);
statement.setInt(1, request.getParameter("user"));
ResultSet rs = statement.executeQuery();
while (rs.next())
{
page.addTableRow(rs.getString("SSN"),
rs.getFloat("PARITY_ID"));
}
} catch (SQLException e)
{ ... }


Related Solutions

Can you please explain and show how you would complete the following SQL Injection Attacks tasks...
Can you please explain and show how you would complete the following SQL Injection Attacks tasks using the SEED lab seed Ubuntu 16.04 Virtual Machine: Task 3.1: Modify your own salary. As shown in the Edit Profile page, employees can only update their nicknames, emails, addresses, phone numbers, and passwords; they are not authorized to change their salaries. Assume that you (Alice) are a disgruntled employee, and your boss Boby did not increase your salary this year. You want to...
SQL injection attacks continue to be a significant attack vector for threat actors. Use the Internet...
SQL injection attacks continue to be a significant attack vector for threat actors. Use the Internet to research these attacks. What are some recent attacks that have been initiated by SQL injection? How were they conducted? What defenses are there against them? Write a one-page paper on your research.
What is the benefit of using “prepared statements” in the prevention of SQL injection? Select one:...
What is the benefit of using “prepared statements” in the prevention of SQL injection? Select one: a. User input is treated as secret data like passwords. b. User input is properly treated as commands, rather than as secret data like passwords c. With them it is easier to construct a SQL query d. They ensure user input is parsed as data, not (potentially) code
Please explain how you got the answer thank you. • Task 2.1: SQL Injection Attack from...
Please explain how you got the answer thank you. • Task 2.1: SQL Injection Attack from webpage. Your task is to log into the web application as the administrator from the login page, so you can see the information of all the employees. We assume that you do know the administrator’s account name which is admin, but you do not know the ID or the password. You need to decide what to type in the Employee ID and Password fields...
What is the most common SQL Injection Attack code that could be put into a vulnerable...
What is the most common SQL Injection Attack code that could be put into a vulnerable website textbox that means "OR True"?
Please Work on the commented parts in the code #include <stdio.h> #include <stdlib.h> /* * */...
Please Work on the commented parts in the code #include <stdio.h> #include <stdlib.h> /* * */ void printArray(int *arr, int size){ int i; for( i = 0; i < size; i++) { // Print each element out printf("%d ", *(arr+i)); //Print addresses of each element printf("%p", (arr+i)); //Printing a new line printf("\n"); } } int main() { // Allows user to specify the original array size, stored in variable n1. printf("Enter original array size: "); int n1 = 0; scanf("%d",...
Explain how the ovum prevents polyspermy.
Explain how the ovum prevents polyspermy.
•Use commented pseudo-code to describe a process for each of the following: 1)Assigning a shopper to...
•Use commented pseudo-code to describe a process for each of the following: 1)Assigning a shopper to one of several checkout lines based on: •the number of shoppers already in each line, and •the number of items in the shopper’s cart, and •the type of items (e.g., “Food”, “Clothing”, “Housewares”, etc.) 2)Assigning a new student into the correct desk in a room of students seated in alphabetical order •Design classes (attributes and methods) for the following data structures: 4)Stack 5)Queue
What are telomeres, and explain how telomerase prevents the shortening of the linear chromosome. Use illustrations...
What are telomeres, and explain how telomerase prevents the shortening of the linear chromosome. Use illustrations if needed.
1. Explain Malware and viruses ? 2. Explain two of the attacks and give a real...
1. Explain Malware and viruses ? 2. Explain two of the attacks and give a real scenario ? 3. How can you defend your network from these attacks?
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT