SQL Injections

[Trium918]

Would someone please explain to me why my code is

vulnerable to Injections, and how do I test against it?

Where would the attack accrue ?

 

<?php

/*SQL injections are probably one of the most common attacks nowadays. 
You might have heard of it, but you must really be sure that you understand 
how such attacks work. Imagine the following piece of PHP code:*/

<?php
// db connection..
$res = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'
AND password = '".$_POST['password']."'");
if(mysql_num_rows($res) > 0)
{
   // user has been authenticated..
}


/*To some of you that may look scary, and that's good. It is scary. 
Imagine that the value of*/ $_POST['password'] /*would be*/ "foo' OR 1=1". 
/*Here is what the query would look like at runtime.*/


SELECT * FROM users WHERE username = 'johndoe' AND password = 'foo' OR 1=1

?>

[obsidian]

The code you posted actually shows right in it why it's vulnerable. All someone has to do is enter the following into the username field at login, and they will be logged in as the first user in your database:

' or 1=1 -- 

 

This will run the following query:

SELECT * FROM users WHERE username = '' or 1=1 -- AND password = '';

 

The '--' is a comment in MySQL, so everything after that is ignored. In essence, this script will allow me to log in as the first user in the database (or any other user I choose if I play around with the query a bit more).

[DaveEverFade]

Well the you're putting the password straight from $_POST in the database! Big no no... Somebody could enter the password as

 

somthing' or password <> 'somthing

 

or similar, gaining access to the site. You might want to read up on some articles about this. There are a few ways to do it, I tend to use mysql_real_escape_string()

[Trium918]

' or 1=1 --  works like a charm.

 

Ok, how would the code below help to prevent the

problem? How would I apply to my code? Example please!

 

<?php
function escape_for_mysql($data)
{
   // if magic_quotes_gpc is on, strip the slashes it added
   if(get_magic_quotes_gpc())
   {
       $data = stripslashes($data);
   }
        return mysql_real_escape_string($data);
}
?>

[DaveEverFade]

From what I understand it escapes nasty things like ' by putting a \ in front of them (so MySQL ignores them)

[Trium918]

From what I understand it escapes nasty things like ' by putting a \ in front of them (so MySQL ignores them)

 

Yes, I understand, but how would I apply the function to

every form field that is inserted into the database?

 

[DaveEverFade]

Well, before your query could be somthing like this:

 

$sql="SELECT stuff FROM DB where a=".escape_for_mysql($_POST['stuff']);

 

If you see what I mean? Just call the function with the POST data...

[cmgmyr]

$output = mysql_real_escape_string($input);