sleep_injection.py

import time
import sqlite3
con = sqlite3.connect("patient_data.db", isolation_level=None)

#Defined sleep function for SQLite
def sqlite_sleep(seconds):
    time.sleep(seconds)
    return None 

cur = con.cursor()
con.create_function("SLEEP", 1, sqlite_sleep)

#Testing sleep function
try:
    print("Testing sleep function...")
    res_test = cur.execute("SELECT SLEEP(5);") 
    print("Sleep function executed correctly. \n")
except sqlite3.Error as e:
    print(f"Error in Sleep Test: {e}")

## SQL INJECTION ##

#Utilizing sleep downtime to test query exectution
#If delay occurs, condition is true and input is not being sanitized/ parametrized, showing databse vulnerabilities
try: 
    print("Accessing table with time-based injection...") 
    user_input = "Cancer"
    res3 = cur.execute(f"""
        SELECT count(*) FROM encrypted_healthcare_dataset 
        WHERE medical_condition = '{user_input}'
        AND (SELECT SLEEP(7)) IS NULL;
    """)
    answ3 = res3.fetchall()
except sqlite3.Error as e:
    print(f"Error in Query 3: {e}", "\n")

#python3 sleep_injection.py