Fix Blind SQL Injection

G5 Cyber Security

1 month ago

TL;DR

Blind SQL injection happens when a web application doesn’t show error messages but still lets attackers figure out information from your database. This guide shows you how to find and fix it.

What is Blind SQL Injection?

Normally, with SQL injection, you see an error message or the results of your query directly on the webpage. With blind SQL injection, that doesn’t happen. The attacker has to infer information by observing how the application behaves – for example, if a page loads differently depending on whether a condition in their injected code is true or false.

How to Find Blind SQL Injection

Identify Potential Entry Points: Look for any place where user input goes into a database query. This includes search boxes, login forms, and anything that takes data from the user.
Test with Basic Payloads: Start by trying simple SQL injection payloads to see if there’s any response at all. For example:
- ' OR '1'='1 (This is a common test for basic vulnerability.)
- ' AND 1=1 and ' AND 1=2 to see if the page behaves differently.
Time-Based Blind SQL Injection: This is one of the most reliable methods. You inject code that causes a delay in the database if a condition is true.
```
' AND IF(1=1, SLEEP(5), 0)
```
If the page takes about 5 seconds to load, it suggests the condition (1=1) is true. If it loads quickly, it’s false.
Boolean-Based Blind SQL Injection: You inject code that returns a different result based on whether a condition is true or false.
```
' AND 1=1#
```
```
' AND 1=2#
```
Compare the page content for differences. Even small changes can indicate success.
Error-Based Blind SQL Injection: Some applications might not show a full error, but they may change behaviour slightly when an error occurs. Try payloads that intentionally cause errors.
```
' AND 1=CAST('a' AS INT)#
```

How to Fix Blind SQL Injection

Use Parameterised Queries (Prepared Statements): This is the *most effective* solution. Parameterised queries treat user input as data, not as part of the SQL command.
```
// Example in PHP using PDO:
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
$stmt->execute([$_POST['username']]);
```
Input Validation: Check that user input matches the expected format. For example, if you expect a number, make sure it’s actually a number.
- Whitelist validation: Only allow known good characters or patterns.
- Blacklist validation: Avoid allowing potentially dangerous characters (e.g., single quotes, semicolons). This is less secure than whitelisting.
Escaping User Input: If you absolutely can’t use parameterised queries, escape special characters in user input before using it in a query.
```
// Example in PHP:
$username = htmlspecialchars($_POST['username'], ENT_QUOTES, 'UTF-8');
```
Least Privilege Principle: Make sure the database user your application uses has only the permissions it needs. Don’t give it full admin access.
Web Application Firewall (WAF): A WAF can help block common SQL injection attacks, but it shouldn’t be relied on as a primary defence.

Tools

sqlmap: An automated tool for detecting and exploiting SQL injection vulnerabilities.
Burp Suite: A web security testing toolkit that can help you intercept and modify requests to test for vulnerabilities.