The most common web security risk.
When a user is able to manipulate the value given to page as username or password, query formed can leak the info.
Example-
[font=monospace]$con = mysqli_connect("localhost", "sql1", "sql1", "sql1");[/font]
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($con, $query);
if (mysqli_num_rows($result) > 0)
[font=monospace]echo "<h1>Logged in!</h1>";[/font]
Here if $username = ' or '0'='0
and $password = ' or '0'='0
then query becomes "SELECT * FROM users WHERE username='' or '0'='0' AND password='' or '0'='0' "
Hence every row comes out as output.
Please share new ways for performing it.
Also post queries related to it
Hello, , i have to tell you that by this example and this type of threads you are actually attracting geeks to use this kind of knowledge for malicious purposes and possibly buy trouble for themselves which we are not in favor.
for general fact SQL Injections as fairly negligible at current point of technology, specially with the use of prepared statements . i would rather appreciate you talking about the security enhancement
for above illustration and most other attacks all you need to do is pass query through a escaping function like mysql_real_escape_string() in PHP and best is to use PDO/Prepared Statements
Best Regards
PDO!!
You should use it like this:
PHP Code:
<?php
$dsn = 'mysql:dbname=testdb;host=127.0.0.1';
$user = 'dbuser';
$password = 'dbpass';
try {
$dbh = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
echo 'Connection failed: ' . $e->getMessage();
}
try {
$query = $db->prepare("SELECT * FROM users WHERE username=:user AND password=:password");
$query->execute(['user' => $username, 'password' => $password]);
if($query->rowCount() > 0) {
echo 'Welcome!!';
} else {
echo 'There is no row with the given credentials.';
}
} catch(PDOException $e) {
echo 'Database error: ' . $e->getMessage();
}
Although it should work, I have not tested it.
(06-04-2016, 04:59 PM)Rishabh Jain Wrote: [ -> ]Hello, , i have to tell you that by this example and this type of threads you are actually attracting geeks to use this kind of knowledge for malicious purposes and possibly buy trouble for themselves which we are not in favor.
for general fact SQL Injections as fairly negligible at current point of technology, specially with the use of prepared statements . i would rather appreciate you talking about the security enhancement
for above illustration and most other attacks all you need to do is pass query through a escaping function like mysql_real_escape_string() in PHP and best is to use PDO/Prepared Statements
Best Regards
Sir, i totally get it...I just want this thread to be
precautionary measure, if any one uses php to connect to a database.
And as you say, this basic example which i provided can be avoided through
mysql_real_escape_string() function.
But there are other dozens of security vulnerabilities in sql/php that can be help to everyone for "
security enhancements"..
For example even if we use this escape function, Like %% or _ can be used to guess password length or characters inside it, "
if used carelessly".
(06-06-2016, 08:50 PM)RickB Wrote: [ -> ] PDO!!
You should use it like this:
PHP Code:
<?php
$dsn = 'mysql:dbname=testdb;host=127.0.0.1';
$user = 'dbuser';
$password = 'dbpass';
try {
$dbh = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
echo 'Connection failed: ' . $e->getMessage();
}
try {
$query = $db->prepare("SELECT * FROM users WHERE username=:user AND password=:password");
$query->execute(['user' => $username, 'password' => $password]);
if($query->rowCount() > 0) {
echo 'Welcome!!';
} else {
echo 'There is no row with the given credentials.';
}
} catch(PDOException $e) {
echo 'Database error: ' . $e->getMessage();
}
Although it should work, I have not tested it.
Colon acts as bind variable, although i don't understand how it will work
(06-07-2016, 10:44 PM)thispc Wrote: [ -> ]Sir, i totally get it...I just want this thread to be precautionary measure, if any one uses php to connect to a database.
And as you say, this basic example which i provided can be avoided through mysql_real_escape_string() function.
But there are other dozens of security vulnerabilities in sql/php that can be help to everyone for "security enhancements"..
For example even if we use this escape function, Like %% or _ can be used to guess password length or characters inside it, "if used carelessly".
yes i agree there are count less vulnerabilities and the best was to defend known to me is prepare the queries before executing them
using php MySQLi extenssion
PHP Code:
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// prepare and bind
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $firstname, $lastname, $email);
// set parameters and execute
$firstname = "John";
$lastname = "Doe";
$email = "[email protected]";
$stmt->execute();
$firstname = "Mary";
$lastname = "Moe";
$email = "[email protected]";
$stmt->execute();
$firstname = "Julie";
$lastname = "Dooley";
$email = "[email protected]";
$stmt->execute();
echo "New records created successfully";
$stmt->close();
$conn->close();
?>
Using PDO Extension
PHP Code:
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDBPDO";
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// prepare sql and bind parameters
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email)
VALUES (:firstname, :lastname, :email)");
$stmt->bindParam(':firstname', $firstname);
$stmt->bindParam(':lastname', $lastname);
$stmt->bindParam(':email', $email);
// insert a row
$firstname = "John";
$lastname = "Doe";
$email = "[email protected]";
$stmt->execute();
// insert another row
$firstname = "Mary";
$lastname = "Moe";
$email = "[email protected]";
$stmt->execute();
// insert another row
$firstname = "Julie";
$lastname = "Dooley";
$email = "[email protected]";
$stmt->execute();
echo "New records created successfully";
}
catch(PDOException $e)
{
echo "Error: " . $e->getMessage();
}
$conn = null;
Examples are from W3Schools
(06-08-2016, 04:53 AM)Rishabh Jain Wrote: [ -> ]yes i agree there are count less vulnerabilities and the best was to defend known to me is prepare the queries before executing them
Didn't knew about PDO before...It first stores and later executes.....thanx for sharing it..
I guess Now it will be 100% secure from sql injection????
(06-08-2016, 05:50 AM)thispc Wrote: [ -> ]Didn't knew about PDO before...It first stores and later executes.....thanx for sharing it..
I guess Now it will be 100% secure from sql injection????
Theoretically yes, the queries should be full proof against the SQL-Injection
But Practically NO they aren't they are good against 1st order attacks but on 2nd level they are almost as good as nothing,
following is the stackoverflow post for more info
Click here to find more about it
Is there a way on preventing or to block a SQL injection?
There are so many things can be done to prevent SQL injects. Things like Minimizing DB access, Encrypting data, Normalizing inputs etc. But I haven't seen this type of problem for a long time. Last time it was at Godaddy when they had their whole server network got compromised with a SQL injection attack.
the best way is to use newest version of mysql . i used to be defacing website and i found out that all the website that i able to inject is only mysql 5.1 or lower . and the newest version of mysql currently is 5.7 . is actually just a same thing as preventing wannacry you need to update your software really often . even though you dont need it it always come with the security patch that will prevent that sort of thing