Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Need help understanding MySQL injection

Tags:

security

php

mysql

sql-injection

From http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php I got:

SQL injection refers to the act of someone inserting a MySQL statement to be run on your database without your knowledge. Injection usually occurs when you ask a user for input, like their name, and instead of a name they give you a MySQL statement that you will unknowingly run on your database.

I read the whole article but I still have some major issues understand what it is and how can it be done.

In the first example, what will they actually see?

As far as I understood, if I actually echo $name, the will see all the names because it will always "be true" am I correct?

The other thing I don't understand is whether THE MySQL injection problem is solved with mysql_real_escape_string(), there has to be more to it.

What I really don't get is that mysql_real_escape_string() is made to solve that issue, why isn't this done automatically, I mean is there a reason you have to add every time mysql_real_escape_string(), is there cases when you should use it and that's why they don't make this automatic?

like image 808
Trufa Avatar asked Oct 17 '10 00:10

Trufa

2 Answers

MySQL won't escape automatically, because you build the query string yourself. For example:

$query = 'SELECT * FROM users WHERE name="' . $name . '"';

You just pass the raw string stored in $query, which is open to SQL injection. For example, if $name is [something" OR "1=1] your query string ends up being:

$query = 'SELECT * FROM users WHERE name="something" OR "1=1"

That would return every user from the user table. Which is why you need to escape values. However, if you use PDO, it is done for you if you use the binding functionality. It's a 2 step process, preparing the querying, then "binding" the data/variables to the placeholders. In PDO, your query string would look something like this:

$query = 'SELECT * FROM users WHERE name=":name"';
$bindings = array('name'=>'something');
prepare($query);
execute($bindings);

Then, things are automatically escaped for you.

like image 123
Brent Baisley Avatar answered Oct 09 '22 05:10

Brent Baisley

Bobby Tables has a great summary of how SQL injection works. Of much benefit is the examples it gives in several languages (C#, Java, Perl, PHP, etc.)

In the case of PHP, it depends a lot how you're accessing the database. You could benefit from using a database extraction layer such as ADODB which parameterizes queries.

like image 28
calvinf Avatar answered Oct 09 '22 06:10

calvinf
Sign in to Comment

Related questions

What is the best way to get RSS Feeds into a MySQL Database
Fast Windows PHP editor with SVN and FTP support? [closed]
PHP and WordPress: Debugging
How can I disable PHP magic quotes at runtime?
Making php includes work in a sub-directory
PHP: Download incoming email from POP3 or IMAP, parse it, and mark it as read/delete on server
regexp with russian lang
PHP: Force file download and IE, yet again
When not to close a php file?
Add an Outlook calendar event from a link on a web page
PHP Startup: Unable to load dynamic library, Windows, Apache 2.2, php 5.2.11
Intensive PHP script failing w/ "The timeout specified has expired" error / ap_content_length_filter
Help with windows path - PHP
Running job in the background from Perl WITHOUT waiting for return
Is it necessary to write ROLLBACK if queries fail?
Allow one session only at a time
Android file uploader with server-side php
PHP MySQL Query most popular in last 24 hours
How to generate unguessable "tiny url" based on an id?
How to set controller/action to Page Not Found

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!