Hyrje
SQL Injection (SQLi) is a vulnerability class where an attacker can inject arbitrary SQL code into a query the application sends to its database.
Teoria
The classic example is a login form that builds a query like: SELECT * FROM users WHERE username='$user' AND password='$pass'. If the application concatenates raw user input, an attacker can submit the username ' OR 1=1-- and bypass the password check entirely, because the resulting SQL becomes SELECT * FROM users WHERE username='' OR 1=1--' AND password='anything'.
Depending on the database and application, SQL injection can be used to dump the contents of tables, modify data, escalate privileges, read files on the database server, and in some cases execute OS commands. Blind SQL injection variants exploit boolean or timing differences to extract data one bit at a time, even when the application does not return query results directly. Tools like sqlmap automate the full workflow from detection to data exfiltration.
The fix is simple and universal: never concatenate user input into SQL. Use parameterized queries (prepared statements) so that the database engine separates SQL code from data. Every modern language and framework supports this: PHP PDO, Python psycopg, Java JDBC, Node.js with pg or mysql2. Input validation is a nice secondary control but is not a substitute for prepared statements.
Mjetet
Mjetet kryesore:
- sqlmap — automatizim i plotë i SQLi.
- Burp Suite (Community/Pro) + ekstensioni Active Scan++.
- OWASP ZAP — alternative falas.
- DVWA, bWAPP, Juice Shop — laboratorë të cenueshëm.
Praktika
Kod i cenueshëm (PHP):
// GABIM — mos bëj kurrë kështu
$sql = "SELECT * FROM users WHERE email='" . $_GET['email'] . "'";
$result = mysqli_query($conn, $sql);Kod i sigurt me prepared statement:
$stmt = $pdo->prepare("SELECT id, email FROM users WHERE email = ?");
$stmt->execute([$_GET['email']]);
$user = $stmt->fetch();Test me sqlmap:
sqlmap -u "https://target.test/search?q=test" --batch --risk=2 --level=3
sqlmap -u "https://target.test/search?q=test" --dbs
sqlmap -u "https://target.test/search?q=test" -D appdb -T users --dump Ushtrime
- Instalo DVWA dhe shfrytëzo SQLi në modalitet Low. Nxirr listën e tabelave.
- Rishkruaj kodin e cenueshëm duke përdorur prepared statements.
- Konfiguro një WAF (ModSecurity + OWASP CRS) dhe provo të njëjtin payload.
Burime
- OWASP — SQL Injection.
- PortSwigger — Web Security Academy (SQL injection labs).
- sqlmap GitHub.
Vlerësimet dhe komentet
Kyçu për të lënë një vlerësim.
Ende pa komente. Bëhu i pari!
Diskutime
Ende pa diskutime. Hap një temë të re