ngreenwood6 Posted December 20, 2008 Share Posted December 20, 2008 Ok I am trying to figure out how to test against my php scripts for sql injection. Say I had this code: $query = "SELECT * FROM login WHERE username='$username'"; Now say that I did not use mysql_real_escape_string on the $username variable. How could I test for sql injection? Link to comment https://forums.phpfreaks.com/topic/137856-solved-sql-injection/ Share on other sites More sharing options...
Mad Mick Posted December 20, 2008 Share Posted December 20, 2008 Try entering as a user name: name' or 'x' = 'x' -- It should log in correctly if you are vunerable... Link to comment https://forums.phpfreaks.com/topic/137856-solved-sql-injection/#findComment-720473 Share on other sites More sharing options...
webref.eu Posted December 20, 2008 Share Posted December 20, 2008 The basic technique is to attempt to create user names that will add SQL code to your SQL query, e.g. usernames that append the DROP database command etc. Hackers will form the username such that it adds onto your SQL and causes dangerous SQL to be executed. Rgds Link to comment https://forums.phpfreaks.com/topic/137856-solved-sql-injection/#findComment-720476 Share on other sites More sharing options...
ngreenwood6 Posted December 20, 2008 Author Share Posted December 20, 2008 i tried what you said but it did not work. It just gave me my error. I try the username in the database and it works. my login page looks like this: <?php $username = $_POST['username']; $conn = mysql_connect("localhost", "root", ""); mysql_select_db("tests"); $query = "SELECT * FROM users WHERE username='$username'"; $results = mysql_query($query); $num_rows = mysql_num_rows($results); if($num_rows == 1) { $row = mysql_fetch_assoc($results); } if($row['username'] != $username) { echo "That username is incorrect."; } else { session_start(); $_SESSION['logged_in'] = TRUE; $_SESSION['username'] = $username; header("location:logged_in.php"); } ?> Link to comment https://forums.phpfreaks.com/topic/137856-solved-sql-injection/#findComment-720484 Share on other sites More sharing options...
Mark Baker Posted December 20, 2008 Share Posted December 20, 2008 username = '; delete from users Link to comment https://forums.phpfreaks.com/topic/137856-solved-sql-injection/#findComment-720496 Share on other sites More sharing options...
ngreenwood6 Posted December 20, 2008 Author Share Posted December 20, 2008 what the heck does that mean? I tried entering that into the space and it says the supplied argument is not valid. Link to comment https://forums.phpfreaks.com/topic/137856-solved-sql-injection/#findComment-720504 Share on other sites More sharing options...
Mad Mick Posted December 20, 2008 Share Posted December 20, 2008 Maybe you have magic quotes on so that escaping is done anyway. Check phpinfo()/php.ini Link to comment https://forums.phpfreaks.com/topic/137856-solved-sql-injection/#findComment-720515 Share on other sites More sharing options...
ngreenwood6 Posted December 20, 2008 Author Share Posted December 20, 2008 No its not on. I think it is because of this line: if($row['username'] != $username) { echo "That username is incorrect."; } It checks the username and since it is not getting a username it is automatically failing. Link to comment https://forums.phpfreaks.com/topic/137856-solved-sql-injection/#findComment-720516 Share on other sites More sharing options...
Mark Baker Posted December 20, 2008 Share Posted December 20, 2008 what the heck does that mean? If inserted into your SQL, it should give $query = "SELECT * FROM users WHERE username=''; delete from users"; Potentially, that can then execute both statements against your database at the line in your code that says $results = mysql_query($query); First: SELECT * FROM users WHERE username=''' returning no valid results Then: delete from users Link to comment https://forums.phpfreaks.com/topic/137856-solved-sql-injection/#findComment-720518 Share on other sites More sharing options...
Mark Baker Posted December 20, 2008 Share Posted December 20, 2008 As an alternative, try 'OR''=' as a username to enter in your form and pass to the login as a POST var although that should be trapped by your if($row['username'] != $username) { echo "That username is incorrect."; } Link to comment https://forums.phpfreaks.com/topic/137856-solved-sql-injection/#findComment-720521 Share on other sites More sharing options...
ngreenwood6 Posted December 20, 2008 Author Share Posted December 20, 2008 No that didn't work either. I now understand how it works though and that was the point of this post. Thanks for the help. Link to comment https://forums.phpfreaks.com/topic/137856-solved-sql-injection/#findComment-720524 Share on other sites More sharing options...
webref.eu Posted December 21, 2008 Share Posted December 21, 2008 See also: http://www.learnphponline.com/security/sql-injection-prevention-mysql-php Rgds Link to comment https://forums.phpfreaks.com/topic/137856-solved-sql-injection/#findComment-720525 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.