View Full Version : SQL injection

12-22-2010, 07:48 PM
would someone be able to offer an example of an sql injection string?

on my own website, I tried to hardcode the examples that are listed here: http://unixwiz.net/techtips/sql-injection.html

but I only got an error page. The thing I'm concerned about is that someone might be able to delete all of the info from my mysql database. Could someone tell me how the:
my_real_escape_stringplays into all of this?

can query strings on the right side of the '?' be delimited by a semicolon and have more than one statement executed? as in that example above?

12-22-2010, 08:40 PM
I don't believe that PHP actually supports the usage of multiple non-related DMS queries anymore. Although I'm sure it used to. I'm still fairly sure it allows multiple same-type DMS statement, although I rarely need to do so as proper joining will prevent needing to do this, and if I need something unjoinable chances are I don't want them in the same recordset anyway.
That means that with an injected SELECT statement, you cannot embed an update or insert into it. You can however modify an insert, update, delete or select to show what you desire from it.

$sql = mysql_query('UPDATE User SET password = "' . $_REQUEST['password'] . '" WHERE userid = ' . $_COOKIE['userid']);

The problem here is simple; what if the user include this in their cookie:

0 OR userid = 1

Often the administrators userID is 1. Or perhaps they could use 0 OR username LIKE '%admin%' and all sorts of other fun stuffs. On top of this, that password is also open with ' WHERE username = '%admin%' --.

Not sure how many of those will work, especially into the mysql, but you get the idea of how a little mistake can be a big problem. This doesn't even count things like filesystem, mssql will allow you to execute a commands on the filesystem, and should one want to create users that would be the place to do so.
Your solutions are to use prepared statements or replacements for your own variables with proper escaping. This will turn something like ' WHERE username = '%admin%' -- into \' WHERE username = \'%admin%\' -- which is still effectively just a string within the password section instead of being broken out of the password field.

You will note as well that part of injecting is some knowledge of the structure. This is where you can exploit default error reporting to expose some of the underlying query and its fields. Between this and trial and error one can deduce a table structure fairly well. This is why production environments shouldn't use error reporting and log it instead to a non-published directory.

I don't understand your question about querystrings and semi-colons. Can you be more specific?

12-22-2010, 10:10 PM
He's meaning something along these lines, (gratuitous comic representation thrown in :D):


12-22-2010, 11:00 PM
I don't understand your question about querystrings and semi-colons. Can you be more specific?

what I mean is, will this work:
login.php?user=me or 1=1;drop%20table%20usersdoes that make sense? in other words, how can you write a DROP TABLE statement and inject the database by hardcoding and/or typing into the URL directly?


12-22-2010, 11:32 PM
Loved that comic; I remember that one now always gave me a laugh.

Oh I gotcha. Yeah you can pass data through the querystring as well, its similar to poisoning the cookies. It is a little trickier though since you need to do some work on the client end to get it, but its a matter of encoding it properly to be decoded by PHP when shoved into the GET. Never ever ever trust users.

The drop table doesn't actually work in mysql through PHP (I was mentioning this in the first post) in combination with other statements. I'm pretty sure it used to, but nowadays it doesn't appear that you can combine multiple non-related queries into a single type. This is a valid query:


And I think that PHP will allow that, but I remember testing this not that long ago and these failed when run in PHP:

SELECT * FROM Users; UPDATE Users SET password = '' WHERE Username = 'Administrator';

The syntax is fine for SQL itself, won't work in PHP. Seems that the DMS's must be related in order to run together. I'd assume the same with the DDS's, especially in regards to a DMS and DDS together.