bothwell Posted July 11, 2008 Share Posted July 11, 2008 I am investigating SQL injections. Google and everybody else tells me "omg apostrophes are really bad and you should always clean them out of user input or else the sky will fall on your head". To test this I have been inputting all manner of apostrophes and badass characters into my POSTs in an attempt to break my database. My application is stubbornly ignoring my attempts and is just storing everything literally, so now I have about a million rows all called "61 hai'); DROP TABLE this;--" or similar. Does this mean that I have somehow accidentally protected myself against apostrophe-based SQL injection, or does it mean that I just haven't understood how SQL injection works? Quote Link to comment Share on other sites More sharing options...
adam84 Posted July 11, 2008 Share Posted July 11, 2008 Well I don't know every much about this subject. But if you enter a 'DELETE ~~' statement and none of your rows got deleted, I think you might be on the right track. Quote Link to comment Share on other sites More sharing options...
LooieENG Posted July 11, 2008 Share Posted July 11, 2008 put your username in the username box, and this in the password box (I think this is a common one?) ' OR 1=1-- Quote Link to comment Share on other sites More sharing options...
bothwell Posted July 12, 2008 Author Share Posted July 12, 2008 put your username in the username box, and this in the password box (I think this is a common one?) ' OR 1=1-- Yeah, I've tried stuff like that - I don't think it really matters which specific input field the dodgy characters are put into since you're only trying to see if something breaks. I have learned that if I use my own delete form to put in something like 100' or '*' then the app deletes 100 and ignores everything after the apostrophe, heh. I really don't understand why. This is my code: if(!isset($_POST['intRent'])) die ("No data!"); if(empty($_POST['intRent'])) die("You didn't select a range to delete."); $intRent = $_POST['intRent']; $dbDelete = "DELETE FROM rent WHERE rent_max='$intRent'" ; mysql_query($dbDelete) or die(mysql_error()); As you can see there are no special security measures taken here. At first I thought "maybe it's just ignoring anything that isn't a number since the database field itself is an integer", so I tested with a string field as well and got the same results - the app just reads the input literally and doesn't try to parse it. Obviously this is a good thing, but I'd love to know why it's happening. Quote Link to comment Share on other sites More sharing options...
toivo Posted July 12, 2008 Share Posted July 12, 2008 If you run the command interactively, you will see the explanation: Error 1292 Truncated incorrect integer value: '*' Cheers, Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.