Explain SQL injection

I learnt from phpbuilder that sqlinjections are caused by giving wrong conditions by the attacker. like 1=1 which would cause all the rows to be displayed but how can the attacjer take control of a database if the password is not known.

 

Perfect live example: http://www.youtube.com/watch?v=MJNJjh4jORY

Good definitions about sql injection http://www.acunetix.com/websitesecurity/sql-injection.htm
http://www.unixwiz.net/techtips/sql-injection.html

Sitepoint Book: http://www.sitepoint.com/article/sql-injection-attacks-safe

 

that video wasn't a sql injection. he played with the java codes.

 

you just didnt understand this movie.

 

You don't need the password because the target script already has the password.

With an SQL Injection the hacker is just manipulating your unsafe SQL queries.

 

Generally checking for "isnumeric", and "slashes" prevents most injection attacks. Then while programming, you need to think of different possibilities that may arise when some other input is sent, other than what you have set.
Bye

 

SQL Injection is manipulating global variables (usually the $_GET and $_POST) when a programmer doesn't properly secure the variables that can be manipulated, added, or changed by the user.

Lets say you have a product with an ID of 6, and when you go to update it you go to the following URL:

http://www.mysite.com/edit_product.php?id=6

The query looks like this:
$query = mysql_query("UPDATE products SET products = '{$_POST['product_name']}' WHERE id='{$_GET['id']}'");

Excellent, we have a perfectly working query..... NOT!!

if you did this:
http://www.mysite.com/edit_product.php?id=6 or 1=1--

$query = mysql_query("UPDATE products SET products = '{$_POST['product_name']}' WHERE id='{$_GET['id']}' or 1=1--' ");

The query now should now select everything from the product table regardless if id is equal to '6' or not. A double dash "--" tell SQL to ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".



So, with that, you can basically run any command that you want.
http://www.mysite.com/edit_product.php?id=6; INSERT INTO products' ('product_id', 'product') VALUES ('','An SQL Injected Product Name')--

for instance, DROP DATABASE.

OR

you can retrieve the database structure (as long as the variable is outputed on the page somewhere) and figure out the user accounts structure. INSERT yourself a new user account record and login to the system.


Hope this helps understand it and makes people realize how important it is to use mysql_real_escape_string() on any variable that exists inside of a query, or addslashes at the minimimum (creates a mid-level security against it, but can still be by passed).

 

I can do that but how can one who does not know the source do that.
php only gives html outputs

 

I dont mean to hijack the thread, but im curious now with this information could anyone provide an example of how I would protect myself if I wanted to add a newsletter signup on the main page of my site for the persons name and email that would store to mysql db?

 

you can check your value with is_int() or use some regular expression to see if there is more than numbers and letters inside a string.

 

I heard Wordpress had a major issue with mysql injections before within the comments. Anybody have any experiences with this issue?

 

The biggest thing to use is mysql_real_escape_string()

It provides one of the easiest and best methods for securing a variable inside of a query string. While it is not completely fullproof, it is much more secure then leaving it open!

 

Or, if its supposed to be a number and only a number like the with ID=6 example, i use INTVAL($_GET['var']) rather then mysql_real_escape_string(), however i will use mysql_real_escape_string() for everything else.

 

So, if my site is currently using the $_GET var to grab a variable for certain pages and im not using real escape or some other method of securing im setting myself up for disaster arent I?

 

you can filter special characters ( use in sql query . e.g : ' , " , ; , ...... ) from url and check variables .

nothing variables has ' , " , ; value .

 

As long as that variable exists inside of a query, yes. Whether the variable is in the column list, the table name, JOINS, or WHERE clause, if it exists anywhere inside of that, it can be used against you.

protect your scripts!

 

So would running mysql_real_escape_string on $_GET variables be enough protection? My $_GET variables arent just numbers, some are words so I dont think I can use the isint() or INTVAL()

 

I personally dont use intval on numbers, but it is a good idea just to keep people from inputing letters on something that HAS to be numbers. mysql_real_escape_string is good enough for moderate protection. Their are still ways around that, but I wouldn't worry to that much of a degree until your site is extremly popular and people spend their entire night trying to "beat" the system

Just make sure you use mysql_real_escape_string for any variable inside of a query.

 

The only way to protect yourself is by doing some sort of input data validation.

You should NEVER trust any data until you have validated it - use regualr expressions, mysql_real_escape_string is another very useful funtion as has been noted.

You can combat about 99% of SQL injection by looking for a handful of the most common attacks - such as removing -- (double minus - the start of an SQL comment) {a}={a} something equallling something, and all of the quotes ' " \ , single, double, backslash and comma.

It really is fairly easy to eliminate the most basic risks with just a few lines of code. A google search will reveal quite a bit of good info that you can easily use to test your own apps to see if they are vunerable and something that you should do. This is exactly how I found out that one of my sites was vunerable and also how I found out that it is very easy to prevent.

 

also to protect yourself please avoid doing javascript validation
as the visitor will be able to view the source and can change it according to his input or perform some form of tricks. so use only complete php validation as the php source is no visible directly to the hacker.