9Answers

php sql injection

4.8k Views

I have been surfing these days and got to know about SQL INJECTION ATTACK. i have tried to implement on my local machine to know how this can be done so that i can prevent it in my system...

i have written code like this

PHP Code :

if(count($_POST) > 0){

       $con = mysql_connect("localhost","root","") or die(mysql_error());
    mysql_select_db('acelera',$con) or die(mysql_error()); //
    echo $sql = 'SELECT * FROM acl_user WHERE user_email = "'.$_POST['email'].'" AND user_password = "'.$_POST['pass'].'"';
    $res_src = mysql_query($sql);
    while($row = mysql_fetch_array($res_src)){
        echo "<pre>";print_r($row);echo "</pre>";
    }
}

HTML CODE :

<html>
<head></head>
<body>

 EMAIL : <input type="text" name="email" id="email" /><br />
    PASWD : <input type="text" name="pass" id="pass" /><br />
    <input type="submit" name="btn_submit" value="submit email pass" />
        </body>
</html>

by this code if i give input as " OR ""=" then sql injection should get done. but it is not working properly. in post data i have addition slashes if i give above input in password field.

can any one show me how actually SQL INJECTION ATTACK can be done?(code will be more appreciable)

Answer

As everyone already said - you probably have magic quotes on. Though here is a trick: this function makes SQL Injection harder to perform, but not completely impossible.

Moreover even addslashes() can't help you with it. A possible attacker can try multi-byte charsets and some other tricks.

Here is a good article about it: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

Keeping short: if you use multi-byte chars in single-byte environment some of them will become two single-byte chars - slashes, quotes, etc.

  • 2
Reply Report

The SQL you are trying to form should look like this:

SELECT * FROM acl_user WHERE user_email = "a@a.com" Or 1=1; --" AND user_password = ""

Try entering:

a@a.com" Or 1=1; --

As the e-mail address and ignore the password.

The -- makes the rest of the statement ignored.

Here's some good info on the matter: http://php.net/manual/en/security.database.sql-injection.php

  • 1
Reply Report

change it to : noe if you input password as something OR 1=1 then it will cause injection

   <?PHP if(count($_POST) > 0){

   $con = mysql_connect("localhost","root","") or die(mysql_error());
   mysql_select_db('acelera',$con) or die(mysql_error()); //
   echo $sql = "SELECT * FROM acl_user WHERE user_email = ".$_POST['email']." AND user_password = ".$_POST['pass'];
   $res_src = mysql_query($sql);
   while($row = mysql_fetch_array($res_src)){
    echo "<pre>";print_r($row);echo "</pre>";
   }
   }
   ?>


  <html>
  <head></head>
  <body>
  <form action="" method="post">
  EMAIL : <input type="text" name="email" id="email" /><br />
  PASWD : <input type="text" name="pass" id="pass" /><br />
  <input type="submit" name="btn_submit" value="submit email pass" />
  </form>
  </body>
  </html>
  • 1
Reply Report

How to prevent a SQl injection

1) Filter Input- Stop believing your users: The biggest threat to the application is from its users. Users need not be well mannered and obedient as you are expecting. Some users have really bad intentions and some simply try to test their hacking skills. Whatever code you are going to write, write it using the best practices and consider the security aspects of it. Validate every field in the form

2) Use database wrapper classes or PDO – Database wrappers or PDO (in PHP) can reduce the risk of direct access of the input values to the database. Prepared statements can be used along with PDO as shown below.

http://www.itechnicalblog.com/what-is-a-sql-injection-and-how-to-fix-it/

  • 0
Reply Report

use:

mysql_real_escape_string($_POST['thing'])

I would also suggest using PDO or MySQLI to connect/query your database. the old mysql_ commands are a throback to PHP3 the latter ovver performance improvements too.

Here is a good (but simplistic) introduction to how SQL Injection works via PHP/MySQL: http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

  • -1
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags

Related Questions