Menu
I'd like to note first that this is an education attempt on my own database to better understand MySQL injections to protect my own code.
I need to work out a couple of examples of how a MySQL injection can be constructed against the following code. It's a basic user login system where I'm accepting the username and password without any escaping
$user = (!empty($_POST['user'])) ? $_POST['user'] : '';
$pass = (!empty($_POST['pass'])) ? $_POST['pass'] : '';
The MySQL query then tries to find the entered username and password in my table called users, as follows:
$res = mysql_query("SELECT * from users where user='{$user}' AND pass='{$pass}'");
This is un-escaped input, and I'm trying to come up with MySQL injections to:
I've tried a couple of MySQL injection examples from Wikipedia, but I'm guessing the {} in my query is preventing the injection, so I would appreciate some help from those who are confident with this, and thank you to all.
536
What is PHP SQL Injection? When an attacker exploits a PHP application via an SQL Injection, they can gain access to the application's database and make the application execute unauthorized injected SQL commands to control the behavior of the application.
SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures.
With MySQL, batched queries typically cannot be used for SQL injection. However, this is occasionally possible if the target application uses certain PHP or Python APIs to communicate with a MySQL database.
To perform an SQL injection attack, an attacker must locate a vulnerable input in a web application or webpage. When an application or webpage contains a SQL injection vulnerability, it uses user input in the form of an SQL query directly.
Something like this should do:
This will make your query look like
$res = mysql_query("SELECT * from users where user='foo' -- ' AND pass=''");
The "-- " means the rest of the line is commented out
This will make your query look like:
$res = mysql_query("SELECT * from users where user='foo' OR (DROP TABLE users) -- ' AND pass=''");
might not accept that though - I think subqueries can only SELECT.
The mysql_query function will only run one query - others would let you do this:
$res = mysql_query("SELECT * from users where user='foo'; DROP TABLE users -- ' AND pass=''");
You will not be able to DROP the table because using mysql_query you can't send multiple queries.
25
Here's a long list.
http://ha.ckers.org/sqlinjection/
Your code will obviously fail almost all the test as it is totally unprotected.
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
