Example of SQL injection to step around authentication

I found this in one of our client’s logon audit tables (this client hosts NetTrax Web in-house):

A good example of why string building SQL is frowned upon and susceptible to SQL Injection.  

 In code, if authenticated the inputted user-id where the code simply concatenates the unscrubbed data directly into a string that builds the SQL statement, like this:
"SELECT Count(*) FROM users Where UserID = '" + UserIDInput + "'"

If the
UserIDInput is (as one of the failed attempts in the log): 
' or '1'='1

The resulting SQL would be:

SELECT Count(*) FROM users Where UserID = '' or '1'='1'
  • This is a valid SQL statement.
  • This will return the count of ALL users in the user table.

SQL parameterization example:

SELECT Count(*) FROM users Where UserID = @UserID
  • The same input from above returns 0.

Leave a thought