6.25. SQL Injection

Warning

This is to demonstrate a serious problem. Do not that statements in your code!

6.25.1. SetUp

Simulate user input (for test automation):

>>> from unittest.mock import MagicMock
>>>
>>> IN1 = "' OR 1=1; DROP TABLE users --"
>>> IN2 = "whatever"
>>> input = MagicMock(side_effect=[IN1, IN2])

6.25.2. Scenario

Ask user for credentials:

>>> username = input('Username: ')
>>> password = input('Password: ')

System uses SQL query with variable substitution:

>>> SQL_QUERY = f"""
...     SELECT * FROM users
...     WHERE username='{username}'
...     AND password='{password}';
... """

System executes query on database:

>>> print(SQL_QUERY)

    SELECT * FROM users
    WHERE username='' OR 1=1; DROP TABLE users --'
    AND password='whatever';

Exploited SQL injection, will SELECT all users with their data and then DROP all data from table users!

Why this happened? Because user input:

>>> print(username)
' OR 1=1; DROP TABLE users --
>>>
>>> print(password)
whatever

Warning

This is to demonstrate a serious problem. Do not that statements in your code!

../../_images/sql-injection.jpg