phpSensei Posted July 21, 2007 Share Posted July 21, 2007 I searched google and got an answer, I just didnt understand very clearly, but someone help me understand what "SQL Injection" is? How it works What it is and other stuff I should worry about. Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted July 21, 2007 Share Posted July 21, 2007 There is plenty of information on google about SQL injections. http://www.netlobo.com/preventing_mysql_injection.html http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php http://en.wikipedia.org/wiki/SQL_injection Basically it is when someone is trying to change your query. The main function that PHP offers to protect against it is mysql_real_escape_string() www.php.net/mysql_real_escape_string Just don't trust ANY user inputed information. Quote Link to comment Share on other sites More sharing options...
dbo Posted July 22, 2007 Share Posted July 22, 2007 Here is a classic example of sql injection on a login form. Assume someone wrote the following statement for their login form: ---------------------------- $query = "SELECT * FROM user WHERE user = '" . $user . "' AND pass = '" . $pass . "'"; $result = mysql_query($query); ---------------------------- Now let's assume that we know that jon is a username. So if jon were to login he'd enter his username: jon and password: jonpass. In the normal case the query would become: ---------------------------- SELECT * FROM user WHERE user = 'jon' AND pass = 'jonpass' ---------------------------- Jon gains access b/c his password was correct... things work as expected. Now let's assume that we are a hacker and we're trying to gain access to the form. We know that jon has an account here but don't know his password. If the proper measures are not taken look what can happen. Hacker types in (jon) for the username, (bogus' OR 'a'='a) for the password and then the fun begins.... Now our query becomes: ---------------------------- SELECT * FROM user WHERE user = 'jon' AND pass = 'bogus' OR 'a'='a'; ---------------------------- So essentially the hacker has just modified the query and gained access to jon's account without knowing his password because last time I checked a always equals a So if the input had been properly filtered and escaped the result would have been something like this: ---------------------------- SELECT * FROM user WHERE user = 'jon' AND pass = 'bogus\' OR \'a\'=\'a' ---------------------------- An even better result would have looked like this: ---------------------------- SELECT * FROM user WHERE user = 'jon' AND pass = 'bogus\'OR\'a\'=\'a' ---------------------------- The difference in this example is that we filtered spaces from the input as well so at the very worst the query breaks but the hacker doesn't gain access to the account. So now knowing this go test out all your sites for similar stuff to make sure it doesn't break. But DON'T try it for other people's site's because that would be a federal offense and you will get in trouble Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.