Jump to content

MYSQL-SQL INJECTION PREVENTION

dannybrazil

By dannybrazil
in MySQL Help

 Share

Recommended Posts

aschk Newbie

aschk

Posted
Posted

I'll give you a clear-cut simple example of how this might occur.

Here is your code:

 

// Firstly get the username and password from the USER INPUT in the form, i.e. the place you allowed joe bloggs to enter info.
$username = $_POST['username'];
$password = $_POST['password'];

// Next, create our SQL statement using information retrieved.
$sql = "SELECT u.id FROM users u WHERE username = '{$username}' AND password = '{$password}' ";
// Execute query
mysql_query($sql);

 

Ok, now we've got our code, i'll explain what plain ol' joe can insert to destroy your database.

Say, joe enters (without the double inverted commas of course, i'm just using this to represent input) the following into the username input box:

" ' OR TRUE;--  "

Then your $sql string all of a sudden looks like this:

"SELECT u.id FROM users u WHERE username = '' OR TRUE;-- AND password = '';

 

As you can see from the above the SQL will get executed up until it reaches the ";--" which denotes the end of the statement and also that anything following it is a comment.

Also, the logic now provided basically says the username can be blank ('') OR TRUE; of course the "TRUE" part evaluates to basically give success in the statement (for logical reasoning). You're probably thinking, "well the username doesn't equal TRUE", and you're right, no username in your database does. Think about it this way instead (in boolean logic):

FALSE OR TRUE = TRUE

TRUE = SUCCESS! // Or i tend to think of it as "YAY I worked" :P

 

So in actual fact what MySQL will do is simply return the whole set of user ids, so any further statements that for example pull the id and store it in the session will work because an id has been returned and the statement worked.

 

I hope that helps you get a better handle on things.

Of course there are worse statements you could perform, and some more sneaky ones to give you better information (such as number of columns that are being returned), but i'll leave it up to you on how to work those out.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.