There are many ways to explain SQL Injection, and the “best” way is clearly determined by who you’re talking to. For somewhat technical folks, I like my friend Steve’s explanation, I use the explanation below.
Two Key Concepts
SQL Injection is a computer security vulnerability where two bad things are happening at once: the Confused Deputy problem and the confusion between Data and Commands.
Confused Deputy is a security problem where someone wants to accomplish something they don’t have the permission to do, and they find a way to trick someone who does have the authority into doing it for them. A good example would be sneaking a gun into a bag of an airport worker (who bypasses security) and then retrieving it later behind the security barrier. You got the gun past security by using the authority of the airport worker.
The confusion of Data vs. Commands is easy enough to see with a couple of examples. We give computers lots of different inputs: sometimes we give them data: “My address is ‘123 Maple Street'”, and sometimes we give them commands, like, “print this photo” or “send this file”. The problem arises when the computer thinks it’s getting data (like an address), but it really gets a command (like ‘delete the hard drive’).
SQL Injection is a combination of these two issues.
The Courtroom Analogy
The best way to conceptualize this is through the analogy of a courtroom. Imagine that you have present a defendant and a judge, and that the first thing the judge does at the beginning of a case is read the roster where the defendant wrote his name. He says:
So if his name is Ender Wiggin, the judge would say:
Fair enough. But what happens if Ender writes his name as, “Case Dismissed”?
Then, when the judge does his regular speil, he’d say:
Ender then smiles and walks out of the courtroom.
This is confusion of Data and Commands because the judge thought he was reading a name (data) and instead issued a command (dismiss the case), and it’s the Confused Deputy problem because Ender is not himself able to dismiss it–he had to get the judge to do it for him.
It’s the same with computers and web pages.
- There is often confusion between Data and Commands in a web page that asks for an address (data) but receives a SQL command instead (e.g.: get me stuff from your database)
- Confused Deputy is in play because you (the web user) are not allowed to ask the database direct questions–but the web page you just gave your command to is
Either way, Ender gets what he wants: out of jail or access to data he’s not supposed to have. Slippery bugger.
1 This is an incredible explanation recommmended by my friend Joel.