Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New Coder
    Join Date
    Jan 2011
    Posts
    78
    Thanks
    1
    Thanked 2 Times in 2 Posts

    General Discussion about SQL Injection

    Hey everyone. I want to know if someone has a sample code for SQL Injection. I want to try it and test it on my localhost. It's for educational purposes because I want to understand and know how SQL Injections start so I can prevent it from happening on my website if I know where to start and what to look for. Then I might be able to secure a few things for my users.


    And this isn't relevant to the topic, but how do you close your older topics? I would like to close all of my older topics up until this one. I can't seem to close them because I already solve them.

  • #2
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,302
    Thanks
    13
    Thanked 345 Times in 341 Posts
    Quote Originally Posted by xiong_ster123 View Post
    And this isn't relevant to the topic, but how do you close your older topics? I would like to close all of my older topics up until this one. I can't seem to close them because I already solve them.
    you can’t close topics. closing is an administrative means to prevent too off-topic or unacceptable expansion of a thread.
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

  • #3
    New Coder
    Join Date
    Sep 2013
    Posts
    41
    Thanks
    0
    Thanked 1 Time in 1 Post
    Try out with the below link:
    http://www.programmerinterview.com/i...ction-example/
    A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases issue commands to the operating system.

    Hope this helps.

  • #4
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,058
    Thanks
    10
    Thanked 96 Times in 94 Posts
    mysql does not accept chained queries (separated with a semi-colon) so the normal quoted examples (as above) wont work there (but may on other DB's)

    SQL injection is specifically manipulating data that is then used in a database query ... e.g. if you spoofed a login form and successfully passed e.g.
    Code:
    " ' OR true "
    in the 'password' field
    to an unsanitized script then you can see how that might affect the result of a database query and the issues it could cause if the query was a simple , "SELECT $blah from $table WHERE user={$username} AND password={$password}"

    Simply escaping the ' will stop that attack so thats why we sanitize user input.
    Note that simply removing single quotes is not enough, there are other ways to pass their equivalent which is why mysql_real_escape_string etc is important.

    Thats one side of it, the other is not really SQL injection but... I have seen many scripts where once someone is logged in then anything goes, e.g. if you use _REQUEST data to call or edit sensitive information then you also have to check if the user requesting the information is the same as the owner of the information...

    e.g. one might.. in a user control panel ...

    "SELECT * FROM user_table WHERE user={$_REQUEST['user_id']}"

    now thats fine, but what if I pass another users ID in the query string .. yes this happens , obvious of course but its amazing how many places grant you access to others data when you are logged in yourself.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #5
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,642
    Thanks
    0
    Thanked 649 Times in 639 Posts
    All modern databases allow you to keep the query and data separate so as to make SQL injection impossible. So such things only exist with antiquated code that is yet to be brought up to date.

    With mySQL you use a PREPARE statement to supply the SQL and a bind statement to supply the data. It is then impossible for anything in the data to inject itself into the code because they are not even in the same statement.

    Of course that still doesn't deal with the other issue firepages brings up - failing to validate the data before using it. Even now that injection is impossible you still need to properly validate the data or your database will be filled with meaningless junk.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #6
    New Coder
    Join Date
    Jan 2011
    Posts
    78
    Thanks
    1
    Thanked 2 Times in 2 Posts
    @ Dormilich Thanks. I just wanted to know if an admin can do that for me or if it's ok for someone to close all of my topics until this one. I don't want someone commenting on something that's old already.

    @ priyankagound Thanks. I'll try to make a vulnerable login page and try to apply those on it so I can see if it effects me.

    @ firepages Thanks. I'll have to try that as well. But so when you say that some of the basic selects that aren't sanitized can be vulnerable. Does that mean that a simple select and redirect won't change it? Like it'll require some values, but if the user doesn't know the actual method of what the page is doing then it should be safe right? E.g

    page called buy.php has a simple select and redirect after select is successful. If the user knows what it's selecting, they can manipulate it even after a redirect? Because if I do a redirect, they won't know what the specific page is actually trying to get. By the time they do know, it already redirects them back to the original page.

    @ felgall Thanks. I'm still wondering if real escape and prepare has a difference. But in some cases, what is real escape and prepare mainly for? I haven't really used prepared statements before so I wouldn't really know the objective for them.

  • #7
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,332
    Thanks
    60
    Thanked 526 Times in 513 Posts
    Blog Entries
    4
    To be honest, I still wonder how it all works internally.

    This is the log of one of my scripts that has been updated to use mysqli (which is supposedly injection proof):

    Code:
    131018  8:23:46	    3 Connect	*******@localhost on safrane
    		    3 Prepare	select * from dtb where `Alpha_Letter` = lower(?)
    		    3 Execute	select * from dtb where `Alpha_Letter` = lower('a')
    		    3 Close stmt	
    		    3 Quit
    Note how the variable with the value 'a' is still inserted directly into the query there..
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #8
    New Coder
    Join Date
    Jan 2011
    Posts
    78
    Thanks
    1
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by tangoforce View Post
    To be honest, I still wonder how it all works internally.

    This is the log of one of my scripts that has been updated to use mysqli (which is supposedly injection proof):

    Code:
    131018  8:23:46	    3 Connect	*******@localhost on safrane
    		    3 Prepare	select * from dtb where `Alpha_Letter` = lower(?)
    		    3 Execute	select * from dtb where `Alpha_Letter` = lower('a')
    		    3 Close stmt	
    		    3 Quit
    Note how the variable with the value 'a' is still inserted directly into the query there..
    Ah thanks for the input. I'll try it out.

    This isn't towards this poster, but a general question.
    How can I do a MySQLi real escape?

    This one doesn't work
    Code:
    mysqli_real_escape_string
    And this one gives me an error
    Code:
    $mysqli->real_escape


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •