SQL injection

[tynum]

---

im into web develpment jud and also web destruction sad(for EVIL purposes).. ahhaha.....
gusto unta ko mkahibaw sa mga pasikot-sikot aning SQL injection para ma prevent ni namo sa among project na himuun which is a Library system sa UC.. web based jud ni amo himuun na project para easy access.... long term goal namo ani nga project kay naa nay interconnection ang mga library of the different campuses of UC... peru before ana.. storya sa ta ug SQL injection..

nag create ko ug akoang simple PHP-MYSQL web app with a user table (mga usernames[varchar] n passwords[varchar]) sa akoang database... mu enter ra ka ug username and password sa kani na web app.. ang code nku ani kay:

$user = $_POST[user];
$pass = $_POST[pass];

$query = "SELECT * from user where username = '$user' ";

then ako g input sa ako web form kay " 1' OR 1=1 -- "...
so ang true query na i execute sa mysql kay: SELECT * from user where username = '1' OR 1=1....

wala lagi mu gawas na something fishy?? ang web app ra gihapon ang gi display sa web browser.. mu work ba jud kaha ni ang SQL injection?? or saup lang jd akoang approach....?

kung pwede sad ngau nya ko tips ninyu kung unsa ang mga preventive measures for SQL injections.. gamay ra man gud ako nahibaw-an... like encryption, filtering inputs, etc.. lamat daan...

[simoncpu]

try 1' or 1 = '1

btw, what's your php.ini settings? is magic_quotes_* on?

[eax]

Para nako maybe you should should parameterized statements?

[vern]

eh, if you use something like PHP, just use one of the many HTML filters out there to prevent XSS attacks. You don't need to re-invent the wheel.

[Dondon]

html_entities and mysql_real_escape_string gamit kaayo nah nimo.

[MarkCuering]

SQL injection is not just simply typing some strings on the textboxes, you should create another php/asp page that will target the server. In conjunction to the valid .php/.asp file who manage the process after "post"

here's some example:

<html>
<form action="http://[SITE]/yourPage.asp" method="post">
<input type="text" name="target_field_name" value="any_valid_field';[YOUR_SQL_CODE_HERE]">
<input type="submit" name="submit" value="INJECT IT">
</form>
</html>

SQL CODE such as:

update INFO set Field1='your_injected_value’ where Field2='Field2';--

or try to up your page… for practice. I can’t run my server. My company is blocking my webhost. I will make one as soon as I fix it.

[simoncpu]

eh, if you use something like PHP, just use one of the many HTML filters out there to prevent XSS attacks. You don't need to re-invent the wheel.

Cross-site scripting (XSS) is not the same as SQL injection attacks. XSS vulnerability is basically a flaw in your script that allows the attacker to print unfiltered strings to the victim's browser. This allows cookie theft, among other things. SQL injection is a flaw that allows the attacker to craft malicious SQL queries.

[simoncpu]

SQL injection is not just simply typing some strings on the textboxes, you should create another php/asp page that will target the server. In conjunction to the valid .php/.asp file who manage the process after "post"

It doesn't matter; it's just the same. My favorite tool is curl because it allows me to craft raw HTTP data.

[MarkCuering]

I'm not into web development but reading to curl FAQ it stated that it relies on client side only. I don't know if this work like xp_cmdshell in SQL server that somehow can permits command execution.(if has permitted to the web user, complete negotiation of the webserver is quite predictable). No matter how helpful to admin over remote sites...it's still need some precautions.

[silent-kill]

just sanitize your data properly to prevent sql injections