Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.


Welcome to KnowledgeSutra - Dear Guest , Please Register here to get Your own website. - Ask a Question / Express Opinion / Reply w/o Sign-Up!

0

What Are Sql Interjection Attacks?

Started by sirhenry, Jan 29 2005 03:44 PM

Next

22 replies to this topic

#1 sirhenry

sirhenry the bland

Kontributors
62 posts

Location:A Location Formerly Known as Thingrend

Posted 29 January 2005 - 03:44 PM

Yikes! I just found out about this. It's really something to watch out for when making SQL of any sort, not just log-ins. Fortunately, it's relatively easy to circumvent.

Check it out:

[quote name='"A man wiser than I"']What is an SQL Injection attack?

An SQL Injection attack happens when a user gives your script data crafted to change your SQL to do something you didn't intend it to do. Consider this SQL:

$sql = 'SELECT * FROM users WHERE username="'.$username.'"
AND password="'.$password.'"';
if (mysql_query($sql)) {
echo 'Logged in!';
}

It looks fine, but what if a user submitted this as their password:

" OR 1=1 OR ""="

This would cause the SQL to read:

SELECT * FROM users WHERE username="" AND password="" OR 1=1 OR ""=""

which would allow the attacker to get into your system without even knowing a login!

On many databases you can also run multiple queries by putting a semicolon in the SQL you pass. Consider this password:

"; DELETE FROM users WHERE ""="

This would run the first query, which would probably find no records, but it would then run the DELETE query which would delete all of yoru users. Note that this could also be used to delete any other data in yoru system or to change your data or insert a new user with admin priviledges.

To protect against this, you need to "escape" the variables you put into your SQL. When using Mysql you can do this:

$sql = 'SELECT * FROM users WHERE
username="'.mysql_real_escape_string($username).'" AND
password="'.mysql_real_escape_string($password).'"';

If you're using PEAR::DB you can do this (this will work for *any* database system that DB supports):

$sql = 'SELECT * FROM users WHERE
username='.$db->quoteSmart($username).' AND
password='.$db->quoteSmart($password);[/quote]

Pretty scary stuff, huh? ::shocked::

Note: this is taken from [url="http://www.reversefold.com/tikiwiki/tiki-index.php?page=PHPFAQs#id601011"]this wiki[/url], and the rightful author(s) of this information deserve all credit due.

#2 Xedos

Give me Reputation and i'll give you some back.

Banned
203 posts

Location:Wirral, Northwest England
Interests:Interweb, Weebl and Bob, Linux, Windows, Nereks.

Posted 29 January 2005 - 03:47 PM

Wow. I've knew about SQL Interjections for ages. I however never knew what they did. This as explained it all to me. Thanks!

#3 maddog39

Super Member

Kontributors
208 posts

Location:LI, New York
Interests:Web programming, computer programming, computer games, and Play Station2. :D

Posted 29 January 2005 - 06:33 PM

I know someone who had and sql injection attack on there phpBB forum and the hacker logged into the ACP and kaked everything and left a message on his homepage, lol.

#4 Roly

Advanced Member

Kontributors
144 posts

Location:Arizona
Interests:school dunno whatever

Posted 29 January 2005 - 07:33 PM

or you can use htmlentites() or addslashes()

#5 OpaQue

Administrator

Admin - The Official Guru
1,895 posts

Gender:Male
Location:Somewhere in Time & Space.
Interests:Discovering Myself.
myCENT:-129.97

Posted 29 January 2005 - 08:12 PM

This is a very helpful information that you have contributed! And it must be known by many programmers.

I have Granted you 2 Hosting Credits as reward!