Jump to content
xisto Community
Sign in to follow this  
sirhenry

What Are Sql Interjection Attacks? (Answer inside)

Recommended Posts

Yikes! I just found out about this. It's really something to watch out for when making SQL of any sort, not just log-ins. Fortunately, it's relatively easy to circumvent.

Check it out:

What is an SQL Injection attack?
An SQL Injection attack happens when a user gives your script data crafted to change your SQL to do something you didn't intend it to do. Consider this SQL:

$sql = 'SELECT * FROM users WHERE username="'.$username.'"
AND password="'.$password.'"';
if (mysql_query($sql)) {
  echo 'Logged in!';
}

It looks fine, but what if a user submitted this as their password:

" OR 1=1 OR ""="

This would cause the SQL to read:

SELECT * FROM users WHERE username="" AND password="" OR 1=1 OR ""=""

which would allow the attacker to get into your system without even knowing a login!

On many databases you can also run multiple queries by putting a semicolon in the SQL you pass. Consider this password:

"; DELETE FROM users WHERE ""="

This would run the first query, which would probably find no records, but it would then run the DELETE query which would delete all of yoru users. Note that this could also be used to delete any other data in yoru system or to change your data or insert a new user with admin priviledges.

To protect against this, you need to "escape" the variables you put into your SQL. When using Mysql you can do this:


$sql = 'SELECT * FROM users WHERE
username="'.mysql_real_escape_string($username).'" AND
password="'.mysql_real_escape_string($password).'"';


If you're using PEAR::DB you can do this (this will work for *any* database system that DB supports):

$sql = 'SELECT * FROM users WHERE
username='.$db->quoteSmart($username).' AND
password='.$db->quoteSmart($password);



Pretty scary stuff, huh? ::shocked::


Note: this is taken from this wiki, and the rightful author(s) of this information deserve all credit due.

Share this post


Link to post
Share on other sites

Wow. I've knew about SQL Interjections for ages. I however never knew what they did. This as explained it all to me. Thanks!

Share this post


Link to post
Share on other sites

I know someone who had and sql injection attack on there phpBB forum and the hacker logged into the ACP and kaked everything and left a message on his homepage, lol. :P

Share this post


Link to post
Share on other sites

This is a very helpful information that you have contributed! And it must be known by many programmers. I have Granted you 2 Hosting Credits as reward! :P

Share this post


Link to post
Share on other sites

What? Your giving out hosting credits?Your nice.*Cough*Isaidyournicenowgiveme5000credits*Cough*

Share this post


Link to post
Share on other sites

What? Your giving out hosting credits?Your nice.*Cough*Isaidyournicenowgiveme5000credits*Cough*

Share this post


Link to post
Share on other sites

I think it is called "SQL Injection" (because jou "inject" SQl into the original script that is not suppposed to be there)Coincidentally, I did this just last week to a friends website. He claimed his site was totally protected and unhackable. But I knew he was using Advanced Guestbook 2.2 on it, which is vulnerable to this kind of attack. So I showed him. Needless to say he has upgraded to 2.3.1 now. Sucker!Basically, the script says "if A=B then OK", where A is the original password and B is the one the form asks. You're giving the phrase "X or 0=0" for the password. Now the script says; "if A=X or 0=0 then OK". Easy as pie!The new form checks the input for illegal characters and filters them. So you can't do this anymore! Search for the phrase "Google Hacking" on... ehm, Google and see what other vulnerabilities can be found out there...

Share this post


Link to post
Share on other sites

Not a very nice thing to do to a friend, then again, he was asking for it!Nothing unhackable. Theres always the blackhat hackers out there.Whats your friend's site URL/address? I would like to see.

Share this post


Link to post
Share on other sites

I know someone who does it for fun...it's not funny, though. :PHe actually did it to my site to play around. He changed my welcome message to something embarrising that happened to me that week and so I got mad and IP banned him. ;)But, he had proxies, so he completely hacked my site for trying to get rid of him. :D

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.