06-07-2011, 07:06 PM
SQL Injection happen when a certain query allows a user to escape the string and Add to the original query. To manipulate how it works
For easy reading SQL Query will be red and Text will be blue
Ok so here is our login script:
Please note the same applies nomatter if you use ".$variable." or {$variable}
This will simply log them in if the posted password is right. Example of the SQL Query is:
But now if the user enters their password as 1234 OR 1=1 the query looks like this:
This now will log him in if either the password is right or 1=1 and as 1 will always equal 1 it will log him in regardless of if the pass is right or not.
So this is how we protect from that:
The ' toggles between text and query so now the variable will be run as text. So now where the user enter 1234 OR 1=1 the query looks like this:
Now it only checks if the user password is "1234 OR 1=1" Which it won't be.
But our user can still bypass this by escaping the text string back into the query. All he needs to do is change his password to 1234' OR 1='1
Now our query is back to checking if his password is right or if 1=1 which it does.
This is a little harder to stop, We are best to write a function to stop the user using ' or ". So here's the function:
Now our code will look like this:
if the user enters password as 1234' OR 1='1 the query will look like:
How mysql_real_escape_string works is a " or ' can be neutralized with a \ so \' and \" will do nothing.
That's the end of my tutorial, Some things to remember are: Sanitize cookies and selectboxes both can be modified to allow SQL injection regardless of what you set them as, none of the methods in this tutorial will prevent the usage of % and _ in LIKE statements you will need to write something for that and remember this is not a tutorial on how to SQL Inject, I have left some deliberate errors in the examples to prevent use of it for that.
Also due to a security plugin no this site if you see <REMOVE ME> in the code Remove it INCLUDING the < and >
For easy reading SQL Query will be red and Text will be blue
Ok so here is our login script:
Please note the same applies nomatter if you use ".$variable." or {$variable}
Quote:<?php
$db->connect();
$pass = $_POST['pass'];
$query = mysql_query("SELECT * FROM users WHERE pass={$pass}";
if (mysql_num_rows($query) > 0)
{
echo "welcome user";
}
?>
This will simply log them in if the posted password is right. Example of the SQL Query is:
Quote:SELECT * FROM users WHERE password='1234'
But now if the user enters their password as 1234 OR 1=1 the query looks like this:
Quote:SELECT * FROM users WHERE password='1234' OR 1=1
This now will log him in if either the password is right or 1=1 and as 1 will always equal 1 it will log him in regardless of if the pass is right or not.
So this is how we protect from that:
Quote:<?php
$db->connect();
$pass = $_POST['pass'];
$query = mysql_query("SELECT * FROM users WHERE pass='{$pass}'";
if (mysql_num_rows($query) > 0)
{
echo "welcome user";
}
?>
//if you use ".$var." you must add apostrophes too so pass='".$var."'
The ' toggles between text and query so now the variable will be run as text. So now where the user enter 1234 OR 1=1 the query looks like this:
Quote:SELECT * FROM users WHERE password='1234 OR 1=1'
Now it only checks if the user password is "1234 OR 1=1" Which it won't be.
But our user can still bypass this by escaping the text string back into the query. All he needs to do is change his password to 1234' OR 1='1
Now our query is back to checking if his password is right or if 1=1 which it does.
Quote:SELECT * FROM users WHERE password='1234' OR 1='1'
This is a little harder to stop, We are best to write a function to stop the user using ' or ". So here's the function:
Quote:function sanitize($sanitize)
{
if ((get_magic_<REMOVE ME>quotes_gpc()) //Some plugins will try to do what we are about to do so let's undo it to prevent errors if they are installed
{
$sanitize = stripslashes($sanitize); //Remove the slashes that magic quotes may have added
}
if (!is_numeric($sanitize)) //Make sure the string is not a number we don't need to modify numbers as they cant contain " or '
{
$sanitize = mysql_real_escape_string($sanitize); //Will escape ' and "
}
return $sanitize;
}
Now our code will look like this:
Quote:<?php
function sanitize($sanitize)
{
if (get_magic_<REMOVE ME>quotes_gpc())
{
$sanitize = stripslashes($sanitize);
}
if (!is_numeric($sanitize))
{
$sanitize = mysql_real_escape_string($sanitize);
}
return $sanitize;
}
$db->connect();
$pass = $sanitize($_POST['pass']);//Put password trough our sanitizer
$query = mysql_query("SELECT * FROM users WHERE pass='{$pass}'";
if (mysql_num_rows($query) > 0)
{
echo "welcome user";
}
?>
if the user enters password as 1234' OR 1='1 the query will look like:
Quote:SELECT * FROM users WHERE password='1234\' OR 1=\'1'Now it only checks if the password is 1234\' OR 1=\'1 and doesn't check if 1=1
How mysql_real_escape_string works is a " or ' can be neutralized with a \ so \' and \" will do nothing.
That's the end of my tutorial, Some things to remember are: Sanitize cookies and selectboxes both can be modified to allow SQL injection regardless of what you set them as, none of the methods in this tutorial will prevent the usage of % and _ in LIKE statements you will need to write something for that and remember this is not a tutorial on how to SQL Inject, I have left some deliberate errors in the examples to prevent use of it for that.
Also due to a security plugin no this site if you see <REMOVE ME> in the code Remove it INCLUDING the < and >