Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5

Thread: SQL injection

  1. #1
    Regular Coder ajetrumpet's Avatar
    Join Date
    Jul 2009
    Location
    Iowa City, IA
    Posts
    407
    Thanks
    44
    Thanked 5 Times in 5 Posts

    SQL injection

    would someone be able to offer an example of an sql injection string?

    on my own website, I tried to hardcode the examples that are listed here: http://unixwiz.net/techtips/sql-injection.html


    but I only got an error page. The thing I'm concerned about is that someone might be able to delete all of the info from my mysql database. Could someone tell me how the:
    PHP Code:
    my_real_escape_string 
    plays into all of this?

    can query strings on the right side of the '?' be delimited by a semicolon and have more than one statement executed? as in that example above?

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    I don't believe that PHP actually supports the usage of multiple non-related DMS queries anymore. Although I'm sure it used to. I'm still fairly sure it allows multiple same-type DMS statement, although I rarely need to do so as proper joining will prevent needing to do this, and if I need something unjoinable chances are I don't want them in the same recordset anyway.
    That means that with an injected SELECT statement, you cannot embed an update or insert into it. You can however modify an insert, update, delete or select to show what you desire from it.
    PHP Code:
    $sql mysql_query('UPDATE User SET password = "' $_REQUEST['password'] . '" WHERE userid = ' $_COOKIE['userid']); 
    The problem here is simple; what if the user include this in their cookie:
    Code:
    0 OR userid = 1
    Often the administrators userID is 1. Or perhaps they could use 0 OR username LIKE '%admin%' and all sorts of other fun stuffs. On top of this, that password is also open with ' WHERE username = '%admin%' --.

    Not sure how many of those will work, especially into the mysql, but you get the idea of how a little mistake can be a big problem. This doesn't even count things like filesystem, mssql will allow you to execute a commands on the filesystem, and should one want to create users that would be the place to do so.
    Your solutions are to use prepared statements or replacements for your own variables with proper escaping. This will turn something like ' WHERE username = '%admin%' -- into \' WHERE username = \'%admin%\' -- which is still effectively just a string within the password section instead of being broken out of the password field.

    You will note as well that part of injecting is some knowledge of the structure. This is where you can exploit default error reporting to expose some of the underlying query and its fields. Between this and trial and error one can deduce a table structure fairly well. This is why production environments shouldn't use error reporting and log it instead to a non-published directory.

    I don't understand your question about querystrings and semi-colons. Can you be more specific?
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #3
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    He's meaning something along these lines, (gratuitous comic representation thrown in ):


  • #4
    Regular Coder ajetrumpet's Avatar
    Join Date
    Jul 2009
    Location
    Iowa City, IA
    Posts
    407
    Thanks
    44
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by Fou-Lu View Post
    I don't understand your question about querystrings and semi-colons. Can you be more specific?
    what I mean is, will this work:
    PHP Code:
    login.php?user=me or 1=1;drop%20table%20users 
    does that make sense? in other words, how can you write a DROP TABLE statement and inject the database by hardcoding and/or typing into the URL directly?

    tx

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Loved that comic; I remember that one now always gave me a laugh.

    Oh I gotcha. Yeah you can pass data through the querystring as well, its similar to poisoning the cookies. It is a little trickier though since you need to do some work on the client end to get it, but its a matter of encoding it properly to be decoded by PHP when shoved into the GET. Never ever ever trust users.

    The drop table doesn't actually work in mysql through PHP (I was mentioning this in the first post) in combination with other statements. I'm pretty sure it used to, but nowadays it doesn't appear that you can combine multiple non-related queries into a single type. This is a valid query:
    Code:
    SELECT * FROM Users; SELECT * FROM Posts;
    And I think that PHP will allow that, but I remember testing this not that long ago and these failed when run in PHP:
    Code:
    SELECT * FROM Users; UPDATE Users SET password = '' WHERE Username = 'Administrator';
    The syntax is fine for SQL itself, won't work in PHP. Seems that the DMS's must be related in order to run together. I'd assume the same with the DDS's, especially in regards to a DMS and DDS together.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •