1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Explain SQL injection

Discussion in 'PHP' started by vic_msn, Nov 23, 2006.

  1. #1
    I learnt from phpbuilder that sqlinjections are caused by giving wrong conditions by the attacker. like 1=1 which would cause all the rows to be displayed but how can the attacjer take control of a database if the password is not known.
    SEMrush
     
    vic_msn, Nov 23, 2006 IP
    SEMrush
  2. Pammer

    Pammer Notable Member

    Messages:
    3,417
    Likes Received:
    397
    Best Answers:
    0
    Trophy Points:
    260
  3. vic_msn

    vic_msn Well-Known Member

    Messages:
    2,234
    Likes Received:
    125
    Best Answers:
    0
    Trophy Points:
    155
    #3
    that video wasn't a sql injection. he played with the java codes.
     
    vic_msn, Nov 24, 2006 IP
  4. falcondriver

    falcondriver Well-Known Member

    Messages:
    963
    Likes Received:
    47
    Best Answers:
    0
    Trophy Points:
    145
    #4
    you just didnt understand this movie.
     
    falcondriver, Nov 24, 2006 IP
  5. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,220
    Likes Received:
    778
    Best Answers:
    0
    Trophy Points:
    0
    #5
    You don't need the password because the target script already has the password.

    With an SQL Injection the hacker is just manipulating your unsafe SQL queries.
     
    T0PS3O, Nov 24, 2006 IP
  6. JEET

    JEET Notable Member

    Messages:
    2,625
    Likes Received:
    188
    Best Answers:
    4
    Trophy Points:
    215
    #6
    Generally checking for "isnumeric", and "slashes" prevents most injection attacks. Then while programming, you need to think of different possibilities that may arise when some other input is sent, other than what you have set.
    Bye :)
     
    JEET, Nov 24, 2006 IP
  7. drewbe121212

    drewbe121212 Well-Known Member

    Messages:
    733
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    125
    #7
    SQL Injection is manipulating global variables (usually the $_GET and $_POST) when a programmer doesn't properly secure the variables that can be manipulated, added, or changed by the user.

    Lets say you have a product with an ID of 6, and when you go to update it you go to the following URL:

    http://www.mysite.com/edit_product.php?id=6

    The query looks like this:
    $query = mysql_query("UPDATE products SET products = '{$_POST['product_name']}' WHERE id='{$_GET['id']}'");

    Excellent, we have a perfectly working query..... NOT!!

    if you did this:
    http://www.mysite.com/edit_product.php?id=6 or 1=1--

    $query = mysql_query("UPDATE products SET products = '{$_POST['product_name']}' WHERE id='{$_GET['id']}' or 1=1--' ");

    The query now should now select everything from the product table regardless if id is equal to '6' or not. A double dash "--" tell SQL to ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".



    So, with that, you can basically run any command that you want.
    http://www.mysite.com/edit_product.php?id=6; INSERT INTO products' ('product_id', 'product') VALUES ('','An SQL Injected Product Name')--

    for instance, DROP DATABASE.

    OR

    you can retrieve the database structure (as long as the variable is outputed on the page somewhere) and figure out the user accounts structure. INSERT yourself a new user account record and login to the system.


    Hope this helps understand it and makes people realize how important it is to use mysql_real_escape_string() on any variable that exists inside of a query, or addslashes at the minimimum (creates a mid-level security against it, but can still be by passed).
     
    drewbe121212, Nov 25, 2006 IP
    clancey, Pammer and danbradster like this.
  8. vic_msn

    vic_msn Well-Known Member

    Messages:
    2,234
    Likes Received:
    125
    Best Answers:
    0
    Trophy Points:
    155
    #8
    I can do that but how can one who does not know the source do that.
    php only gives html outputs
     
    vic_msn, Nov 25, 2006 IP
  9. LazyD

    LazyD Peon

    Messages:
    425
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #9
    I dont mean to hijack the thread, but im curious now with this information could anyone provide an example of how I would protect myself if I wanted to add a newsletter signup on the main page of my site for the persons name and email that would store to mysql db?
     
    LazyD, Nov 25, 2006 IP
  10. falcondriver

    falcondriver Well-Known Member

    Messages:
    963
    Likes Received:
    47
    Best Answers:
    0
    Trophy Points:
    145
    #10
    you can check your value with is_int() or use some regular expression to see if there is more than numbers and letters inside a string.
     
    falcondriver, Nov 25, 2006 IP
  11. Cutting Edge

    Cutting Edge Guest

    Messages:
    270
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #11
    I heard Wordpress had a major issue with mysql injections before within the comments. Anybody have any experiences with this issue?
     
    Cutting Edge, Nov 25, 2006 IP
  12. drewbe121212

    drewbe121212 Well-Known Member

    Messages:
    733
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    125
    #12
    The biggest thing to use is mysql_real_escape_string()

    It provides one of the easiest and best methods for securing a variable inside of a query string. While it is not completely fullproof, it is much more secure then leaving it open!
     
    drewbe121212, Nov 26, 2006 IP
  13. Luke

    Luke Peon

    Messages:
    111
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #13
    Or, if its supposed to be a number and only a number like the with ID=6 example, i use INTVAL($_GET['var']) rather then mysql_real_escape_string(), however i will use mysql_real_escape_string() for everything else.
     
    Luke, Nov 27, 2006 IP
  14. LazyD

    LazyD Peon

    Messages:
    425
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #14
    So, if my site is currently using the $_GET var to grab a variable for certain pages and im not using real escape or some other method of securing im setting myself up for disaster arent I?
     
    LazyD, Nov 27, 2006 IP
  15. adsblog

    adsblog Active Member

    Messages:
    659
    Likes Received:
    27
    Best Answers:
    0
    Trophy Points:
    70
    #15
    you can filter special characters ( use in sql query . e.g : ' , " , ; , ...... ) from url and check variables .

    nothing variables has ' , " , ; value .
     
    adsblog, Nov 27, 2006 IP
  16. drewbe121212

    drewbe121212 Well-Known Member

    Messages:
    733
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    125
    #16
    As long as that variable exists inside of a query, yes. Whether the variable is in the column list, the table name, JOINS, or WHERE clause, if it exists anywhere inside of that, it can be used against you.

    protect your scripts!
     
    drewbe121212, Nov 27, 2006 IP
  17. LazyD

    LazyD Peon

    Messages:
    425
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #17
    So would running mysql_real_escape_string on $_GET variables be enough protection? My $_GET variables arent just numbers, some are words so I dont think I can use the isint() or INTVAL()
     
    LazyD, Nov 27, 2006 IP
  18. drewbe121212

    drewbe121212 Well-Known Member

    Messages:
    733
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    125
    #18
    I personally dont use intval on numbers, but it is a good idea just to keep people from inputing letters on something that HAS to be numbers. mysql_real_escape_string is good enough for moderate protection. Their are still ways around that, but I wouldn't worry to that much of a degree until your site is extremly popular and people spend their entire night trying to "beat" the system :)

    Just make sure you use mysql_real_escape_string for any variable inside of a query.
     
    drewbe121212, Nov 28, 2006 IP
  19. RRWH

    RRWH Active Member

    Messages:
    821
    Likes Received:
    49
    Best Answers:
    0
    Trophy Points:
    70
    #19
    The only way to protect yourself is by doing some sort of input data validation.

    You should NEVER trust any data until you have validated it - use regualr expressions, mysql_real_escape_string is another very useful funtion as has been noted.

    You can combat about 99% of SQL injection by looking for a handful of the most common attacks - such as removing -- (double minus - the start of an SQL comment) {a}={a} something equallling something, and all of the quotes ' " \ , single, double, backslash and comma.

    It really is fairly easy to eliminate the most basic risks with just a few lines of code. A google search will reveal quite a bit of good info that you can easily use to test your own apps to see if they are vunerable and something that you should do. This is exactly how I found out that one of my sites was vunerable and also how I found out that it is very easy to prevent.
     
    RRWH, Nov 28, 2006 IP
  20. vic_msn

    vic_msn Well-Known Member

    Messages:
    2,234
    Likes Received:
    125
    Best Answers:
    0
    Trophy Points:
    155
    #20
    also to protect yourself please avoid doing javascript validation
    as the visitor will be able to view the source and can change it according to his input or perform some form of tricks. so use only complete php validation as the php source is no visible directly to the hacker.
     
    vic_msn, Nov 30, 2006 IP
    drewbe121212 likes this.