SQL Injection

One popular and potentially devastating method of attack against Joomla powered sites is SQL injection. Any web application that makes use of a database usually communicates with the database for necessary functions using a special language known as 'Structured Query Language', or SQL. Joomla, by the way, uses an open source implementation of this language, MySQL.

By issuing an SQL command to a database server, the web application can control virtually any aspect of the database - adding, editing, or deleting records or tables of data. Although a powerful tool in the hands of a software developer, SQL can become a lethal weapon in the hands of a hacker.

Of course, the web server would need to be configured in such a way that prevents third parties from issuing SQL commands to the database, whilst allowing legitimate requests from the web application to be processed. The problem arises though where a programmer incorporates user input directly into an SQL command - quite a common practise.

For example, a program might want to issue an SQL command such as this:

"SELECT * FROM users WHERE first_name = 'John'"

This SQL command would request all of the records from the 'users' table in the database where the first name matches the value supplied (in this case 'John'). In many instances, the value to be matched against will need to come from the text that is entered into a form on the website, so instead of the program explicitly using the value 'John', it would need to insert the text that was entered by the user - perhaps like this (using PHP as the programming language):

"SELECT * FROM users WHERE first_name = '" . $_POST['first_name'] . "'"

In this case, the value from the form (the $_POST['first_name'] bit) is inserted directly into the command. This would work fine for normal use, but if a hacker realised how this SQL command was constructed, he could 'inject' his own SQL command and perform any operation he likes on the database.

For example, instead of entering a value like 'John' in the website's form, he could type something like this:

'; DROP users;

The single quote mark and semi-colon will cause the original SQL command to end, and then the hacker can type any SQL command he likes to be run afterwards - in this case, the command 'DROP users;' would delete the users table from the database completely.

All user input must therefore be carefully validated by the programmer, especially before use in an SQL command, and in particular single quote marks should be either removed or 'escaped' - which means they are tagged with a special symbol (or 'escape character' - usually a forward slash '/') that lets the database server know that the quote mark is part of the data and not part of the SQL command.