SQL Injection Attacks and Numeric Parameters
Understanding numeric SQL injection
Attacks against numeric parameters are the simplest way to achieve a SQL injection. This kind of vulnerability is also widely spread since developers often consider that numeric parameters are safe when in most cases they are not. Let's now see how and why it is possible to inject SQL segments in this case.
Numeric Parameter Injection Example
The best way to demonstrate how SQL injection in numeric parameters works is probably by covering an example. Let’s take a webpage that shows information about a product. The product displayed is indicated in the URL via a GET parameter named id. Here is what the URL looks like when a regular user views a product.
Id parameter in URL
http://www.victim.com/viewProduct.php?id=1
The script behind this webpage does the following.
Building the query without sanitizing input.
$sql = "SELECT id, name, description FROM products WHERE id=".$_GET['id'];
Query generated (this query is executed).
SELECT id, name, description FROM products WHERE id=1
As expected, the product which has id 1 is displayed in the webpage. Now what happens if an attacker manipulates the WHERE clause by submitting a specially crafted parameter?
URL visited by the attacker (crafted parameter).
http://www.victim.com/viewProduct.php?id=1 OR 1=1
Query generated.
SELECT id, name, description FROM products WHERE id=1 OR 1=1
This case is pretty inoffensive since the webpage simply shows all products contained in the database. However, the attacker could inject a SQL segment that would have a much bigger impact.
Parameter submitted by the attacker.
1; DROP TABLE products
Query generated.
SELECT id, name, description FROM products WHERE id=1; DROP TABLE products
As you can guess, this SQL injection attack would delete all products in the database by executing a second query after the initial SELECT. This technique is detailled in the article about stacked queries attacks.
Weak Data Typing
Injecting text (SQL segments) into numeric parameter is definitively counter intuitive. Nevertheless, it is possible because weakly typed languages, like PHP, do not force variables to keep their initial data type. As a result, it is possible to insert a crafted SQL statement in parameters that were supposed to contain numeric values. Obviously, it is a perfect situation for attackers to submit SQL segments and manipulate the query.
Quoted Numeric Parameters
Many DBMS support queries where numeric values are surrounded by single quotes. When testing for vulnerabilities you must keep this possibility in mind. Which means you also need to test numeric parameters as if they were text parameters.
