How can I allow SQL Injection safely

Question

So I wanted to know if there is an acceptable method to Allow SQL Injection.

Example:

Limit permissions on the table(s)/database(s)

Why you ask?

My employer wanted to devise a way to test the skills of applicants, one suggestion was to allow resume submissions via SQL Injection.

Any thoughts? suggestions?

enter image description here

I think your boss needs to leave the technical stuff to the professionals. — Tony Hopkinson, Oct 11 '13 at 16:09
Dont take me wrong but people are looking for ways to prevent SQL injection and your boss is looking for ways to have it! Strange :) — Rahul Tripathi, Oct 11 '13 at 16:11
What an interesting company you work for. I guess isolated instance with limited roles should do the trick — Yuriy Galanter, Oct 11 '13 at 16:12
it's just an idea, something outside the norm that you would need the know how to execute. — Phill Pafford, Oct 11 '13 at 16:12
Does this help:- http://www.trainsignal.com/blog/videos/ethical-hacking-sql-injection-attack-advantages ? — Rahul Tripathi, Oct 11 '13 at 16:14
Sanitise it, run in a sandbox (copy db), the get the 'answer' out of it, or my favourite, test sql skills some more useful way. — Tony Hopkinson, Oct 11 '13 at 16:14
@YuriyGalanter yes and yes! An Isolated instance that is no way related to anything we actually work on or use, hosted outside ( https://postgres.heroku.com/ perhaps ), what roles would you define? — Phill Pafford, Oct 11 '13 at 16:15
@RahulTripathi I like the link as it does provide some insight on things, just not sure if what we want to do can be done — Phill Pafford, Oct 11 '13 at 16:23
@PhillPafford:- Truly speaking I was also searching on Google to find out any but this was only one thing which I got. Still thinking and searching but I dont thing I could end up getting many! ;) — Rahul Tripathi, Oct 11 '13 at 16:25

score 1 · Answer 1 · edited May 23 '17 at 12:19

1

You could use roles. Create a role for the web application (or whatever) that is used to connect to the database. Limit this role to only permit INSERT and access to necessary tables for applying. Applicants with access to your database through the application could then only use SQL injections to add their resume.

It may be possible for someone more talented in SQL to use injections in a way that increases the role's permission. But I think if the role had limited access to only specific tables and didn't have CREATE or GRANT privileges, the user wouldn't be able to create new roles.

Here is some information on roles to get you started:

Adding Roles to MySQL with MySQL Workbench

Creating Roles in PostgreSQL

GRANT command - used to add privileges to users on table, database, etc. This page is for PostgreSQL, but MySQL is very similar (see this SO answer)

edited May 23 '17 at 12:19

Community

1
1

answered Oct 11 '13 at 16:22

Matt

1,792
5
21
33

wouldn't applicants just be able to INSERT their resumes without the need on SQL injection? – Phill Pafford Oct 11 '13 at 16:27
1

If you just have a form for applicants to enter a name & email to be alerted when positions are posted. No direct way to upload resume, but the form provides contact to the db. Then similar to the comic, you might put `Matt'); INSERT resume...` in the name field. I'm not really clear what you have set up for them to use or what instructions are given. – Matt Oct 11 '13 at 16:36
Alternatively, you could just have a separate database for the applicants to inject their information. Applicants can circumvent the initial limited access and do as much damage as they want without your employer losing any of the information they need. Then have a script saving the information elsewhere (so one applicant doesn't remove other resumes), and reset the database privileges to their initial limited access. – Matt Oct 11 '13 at 17:00
Thanks, I like the approach of limiting the input fields – Phill Pafford Oct 11 '13 at 17:17

score -1 · Answer 2 · answered Oct 11 '13 at 22:50

Given that the reason behind this is to test people's ability, create a database with data you can afford to lose. Set up a form that posts to a coldfusion or php or java or .net or some other type of page which connects to that database.

On the form, put a textarea and submit button. On the form target page, log what they put in the textarea. Compare the log to the database to see how it turned out.

Then test to your heart's delight.

How can I allow SQL Injection safely

2 Answers2