This post is a bit technical. I’ve included it here so as to give prospective new entrants into the field of online event registration a little education regarding one way your new online registration software might be vulnerable to being hacked. If you’ve picked a good ASP, i.e. Application Service Provider, for your online registration software, that provider no doubt has defenses against an SQL injection attack.
What is an SQL injection attack and why is it a concern with respect to online registration software?
SQL injection is a technique used by a hacker to gain secret information from your registration database. The hacker is also able to make unattended alterations or deletions to your registration database. In some cases, the hacker can take over total control of your protected database. The trick they use is to ’embed’ SQL commands into your registration form response boxes.
Here is the nature of an SQL injection attack.
Here is an example of an SQL attack made from the backend login page. Most event registration software packages have a back end administrative set of pages where merchants are able to login and administer the registration process.
The logging in process normally begins with two questions:
Normally the user will enter data similar to what is shown below. This data is then posted to the ASP’s web server for authentication.
Once the user pushes the ‘submit’ button, the credentials are transported to the ASP’s web server for authentication.
In the authentication code, on the ASP’s server, there is usually some sort of database. One common type of database is an SQL database. The following command might be used with process of determining whether or not to give a user access:
select email,password from users where email=’firstname.lastname@example.org’
Fig 1. An SQL command used to Authenticate a User
The command above fetches the password, and subsequent lines of code are then used to compare passwords for the purpose of authenticating the user.
I realize that the password might be encrypted or the command in Fig 1, may take other forms, but here’s what the hacker could do in this case.
Login: a’ OR username like ‘%Steve%
In the code, on the ASP’s server the usual command would look like this now:
select email,password from users where email=’a’ OR username like ‘%Steve%’
Fig 2. An SQL command used to Authenticate a User with an SQL Injection inserted instead of the Email
By guessing the fieldname for the user, i.e. username, the hacker has just received a list of all of your users that contain the string ‘Steve’
Yikes, what an unintended consequence!
There are countless other nefarious strings that hackers have in their toolkits for hacking SQL databases. To read more about SQL injection, click here http://www.unixwiz.net/techtips/sql-injection.html
In addition to the hack in Fig 2, there are similar hacks for
- finding a list of the database tables used
- finding fieldnames used in a table
- guessing passwords by trial and error
- adding a new user
- deleting data.
A hacker can easily shut you down if your ASP doesn’t defend against sql injected code.
How does an ASP guard against an SQL injection attack? There are many ways. The important thing is that you’ve picked an ASP that does guard against this threat. At the ASP, I work at, we use, expect functions. That is, before we do a password check for a user, we run the posted user’s name through a function called, expectEmail(email). This function demands that the username submitted obeys our rules for valid email addresses. Throughout our code, we use a whole range of expect functions, for example, expectDate(), expectTelephoneNo(), expectLastName(), expectAge() etc.
Other ASPs employ hardware devices which pre-scan posted data.
So when picking an ASP, for doing your online registration software, you might ask, ‘How to you guard against SQL Injections?’ Hopefully you’ll get a sensible answer.