Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

need assistance with sql injection

Tags:

sql

php

sql-injection

First, I'm not trying to hack or do anything illegal. Thought I let you guys know. I have a client that want's me to do some modifications on his system, when I was looking at it I notice that NOTHING was escaped. I'm not joking, nothing is being escaped. I explained to him that it's insecure to have a system like that. He then proceeds to tell me that he's had his system like this for few years and nothing has happened. I need to show him that his system is not safe, but I really don't know to do perform an sql injection. Here's a few queries that use $_GET and are not escaped.

SELECT *,DATE_FORMAT(joined,'%M %d, %Y') as \"Joined\" FROM `members` WHERE `name` LIKE '".$ltr."%' ORDER BY points DESC LIMIT $page,50

Here's another one:

SELECT * FROM groups WHERE id=$thisladder[grid]

The only thing that I see that "might" clean the $_GET is this function:

if (!ini_get('register_globals')) {
   $superglobals = array($_SERVER, $_ENV,
       $_FILES, $_COOKIE, $_POST, $_GET);
   if (isset($_SESSION)) {
       array_unshift($superglobals, $_SESSION);
   }
   foreach ($superglobals as $superglobal) {
       extract($superglobal, EXTR_SKIP);
   }
}

It's possible that the function above may be sanitizing the variables. And yes, the system also uses register globals, which is also bad.

I also made a backup, just in case.

like image 918
user962449 Avatar asked Oct 12 '11 20:10

user962449

2 Answers

Can't say it better than http://xkcd.com/327/.

But then again, as Marc B says, forget SQL injection, register_globals is much, much worse. Never thought I'd actually see it emulated, just in case it's off.

like image 123
rid Avatar answered Sep 20 '22 23:09

rid

Some fun things to show your 'friend' how stupid his code is:

http://example.com/badscript.php?_GET[]=ha+ha+I+pwned+your+GET+superglobal
http://example.com/badscript.php?_SESSION[issuperuser]=1

This sort of thing is EXACTLY why register_globals is such an outright F'ingly moronic idea, and (after FAR too long) has finally been made to default to OFF.

Forgot SQL injection - that idiotic piece of code is allowing remote PHP variable injection.

like image 26
Marc B Avatar answered Sep 19 '22 23:09

Marc B
Sign in to Comment

Related questions

Array_splice acting as array_slice?
Regular Expression for Dummies [closed]
How can I store the '€' symbol in MySQL using PHP? [duplicate]
json column vs multiple columns
How to scrape specific data from scrape with simple html dom parser
How to escape Chinese Unicode characters in URL?
Multiple instances of header() + die() in single code line
Can php source code package a library like the java .jar?
How does PHP make money? They don't solicit donations and they don't sell pro solutions [closed]
PHP PDO vs normal mysqli speed performance benchmark [closed]
Script to detect shipping carrier by tracking number [closed]
Using a favicon in Zend Framework
Public static variable value
preg_match matching pattern with asterisk (*) in it [duplicate]
How can I find out how many times a foreach construct loops in PHP, without using a "counter" variable?
Accessing an FTP directory listing with PHP
How to set this php soap header?
Are identical primary keys bad practice?
PHP: Remote Function Call and returning the result?
I am confused about PHP Post/Redirect/Get

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!