ngreenwood6 Posted December 20, 2008 Share Posted December 20, 2008 Ok I am trying to figure out how to test against my php scripts for sql injection. Say I had this code: $query = "SELECT * FROM login WHERE username='$username'"; Now say that I did not use mysql_real_escape_string on the $username variable. How could I test for sql injection? Quote Link to comment Share on other sites More sharing options...
Mad Mick Posted December 20, 2008 Share Posted December 20, 2008 Try entering as a user name: name' or 'x' = 'x' -- It should log in correctly if you are vunerable... Quote Link to comment Share on other sites More sharing options...
webref.eu Posted December 20, 2008 Share Posted December 20, 2008 The basic technique is to attempt to create user names that will add SQL code to your SQL query, e.g. usernames that append the DROP database command etc. Hackers will form the username such that it adds onto your SQL and causes dangerous SQL to be executed. Rgds Quote Link to comment Share on other sites More sharing options...
ngreenwood6 Posted December 20, 2008 Author Share Posted December 20, 2008 i tried what you said but it did not work. It just gave me my error. I try the username in the database and it works. my login page looks like this: <?php $username = $_POST['username']; $conn = mysql_connect("localhost", "root", ""); mysql_select_db("tests"); $query = "SELECT * FROM users WHERE username='$username'"; $results = mysql_query($query); $num_rows = mysql_num_rows($results); if($num_rows == 1) { $row = mysql_fetch_assoc($results); } if($row['username'] != $username) { echo "That username is incorrect."; } else { session_start(); $_SESSION['logged_in'] = TRUE; $_SESSION['username'] = $username; header("location:logged_in.php"); } ?> Quote Link to comment Share on other sites More sharing options...
Mark Baker Posted December 20, 2008 Share Posted December 20, 2008 username = '; delete from users Quote Link to comment Share on other sites More sharing options...
ngreenwood6 Posted December 20, 2008 Author Share Posted December 20, 2008 what the heck does that mean? I tried entering that into the space and it says the supplied argument is not valid. Quote Link to comment Share on other sites More sharing options...
Mad Mick Posted December 20, 2008 Share Posted December 20, 2008 Maybe you have magic quotes on so that escaping is done anyway. Check phpinfo()/php.ini Quote Link to comment Share on other sites More sharing options...
ngreenwood6 Posted December 20, 2008 Author Share Posted December 20, 2008 No its not on. I think it is because of this line: if($row['username'] != $username) { echo "That username is incorrect."; } It checks the username and since it is not getting a username it is automatically failing. Quote Link to comment Share on other sites More sharing options...
Mark Baker Posted December 20, 2008 Share Posted December 20, 2008 what the heck does that mean? If inserted into your SQL, it should give $query = "SELECT * FROM users WHERE username=''; delete from users"; Potentially, that can then execute both statements against your database at the line in your code that says $results = mysql_query($query); First: SELECT * FROM users WHERE username=''' returning no valid results Then: delete from users Quote Link to comment Share on other sites More sharing options...
Mark Baker Posted December 20, 2008 Share Posted December 20, 2008 As an alternative, try 'OR''=' as a username to enter in your form and pass to the login as a POST var although that should be trapped by your if($row['username'] != $username) { echo "That username is incorrect."; } Quote Link to comment Share on other sites More sharing options...
ngreenwood6 Posted December 20, 2008 Author Share Posted December 20, 2008 No that didn't work either. I now understand how it works though and that was the point of this post. Thanks for the help. Quote Link to comment Share on other sites More sharing options...
webref.eu Posted December 21, 2008 Share Posted December 21, 2008 See also: http://www.learnphponline.com/security/sql-injection-prevention-mysql-php Rgds Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.