Menu
I have done pretty much reading and still don't understand 100% how some of the SQL injections happen!
I'd like to see, from those who know, concrete examples of SQL injection based on my example, so it could be replicated, tested and fixed. I have tried to SQL inject my code and couldn't, so I'd like someone to prove me otherwise!
1.Am I right that SQL injection can happen ONLY with POST or GET methods, meaning that on the website it should be the post form, e.g. 'signup or search' or query like 'search.php?tags=love'?
Saying that is this possible to inject the following code that has POST method?
$name = trim($_POST['username']);
$mail = trim($_POST['email']);
$password = trim($_POST['password ']);
if ($errors == "false") {
$sql =
"INSERT INTO
clients
SET
name='" . mysql_real_escape_string($name) . "',
mail='" . mysql_real_escape_string($mail) . "',
password='" . mysql_real_escape_string(sha1($password)) . "'";
$connection->execute($sql);
}
2.The other one has GET method: rate.php?like&videoID=250&userID=30
$sql =
"SELECT
videoID
FROM
likes
WHERE
videoID = '" .mysql_real_escape_string($videoID). "' AND UID = '" .mysql_real_escape_string($userID). "' LIMIT 1";
$connection->execute($sql);
Please help those that feel free with the subject but use the concrete examples.
Thanks in advance,
Ilia
392
SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
An SQL Injection vulnerability may affect any website or web application that uses an SQL database such as MySQL, Oracle, SQL Server, or others. Criminals may use it to gain unauthorized access to your sensitive data: customer information, personal data, trade secrets, intellectual property, and more.
SQL Injection can be classified into three major categories – In-band SQLi, Inferential SQLi and Out-of-band SQLi.
SQL injection attacks happen when user input is improperly encoded. Typically, the user input is some data the user sends with her query, i.e. values in the $_GET, $_POST, $_COOKIE, $_REQUEST, or $_SERVER arrays. However, user input can also come from a variety of other sources, like sockets, remote websites, files, etc.. Therefore, you should really treat everything but constants (like 'foobar') as user input.
In the code you posted, mysql_real_escape_string is used to encode(=escape) user inputs. The code is therefore correct, i.e. does not allow any SQL injection attacks.
Note that it's very easy to forget the call to mysql_real_escape_string - and one time is enough for a skilled attacker! Therefore, you may want to use the modern PDO with prepared statements instead of adodb.
63
I've been investigating thoroughly on this subject recently and would like to share with others quite interesting material, thus, making my question more complete and instructive for everyone.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
