Reputation: 53
Can you spot the SQL injection?
I was reading in 2600, but this article is also here https://viaforensics.com/mobile-security/static-code-analysis-watchtower.html Anyways there is a code block:
$result = mysql_query("SELECT * FROM users WHERE username = '{$_GET['username']}' AND `password` = SHA1('{$_GET['password']}')")
The author says "Readers of 2600 will spot the obvious SQL injections, but it seems that many programmers – remarkably – will not." Can someone explain and point out what he means?
To me my guess was he meant that since it appears there's no cleaning of data for characters notorious for injection that it's vulnerable?
I'm relatively novice to PHP5/MySQL and went over this code over and over looking for what's wrong but couldn't come to any other conclusion.
Upvotes: 3
Views: 152
Answers (3)
Reputation: 397
Let us expand on Namphibian's answer a bit, the $_GET['parameter'] is a parameter that is part of the URL, so it will look something like.
http://link/foo.php?username=thatguy&password=whoa
Where $_GET['username'] is "thatguy" and $_GET['password'] is "whoa"
So let's put that in the code.
$result = mysql_query("SELECT * FROM users WHERE username = 'thatguy' AND `password` = SHA1('whoa')")
What would happen if we passed in "' OR ''=''#" for username, let's just encode it for the URL.
http://link/foo.php?username=%27%20OR%20%27%27%3D%27%27%23&password=whoa
This will return
$result = mysql_query("SELECT * FROM users WHERE username = '' OR ''=''# AND `password` = SHA1('whoa')")
The ' OR ''=''# will force the query to return all results and the # will comment out the rest of the MySQL statement, so who cares about the password.
So MySQL query will only look at
SELECT * FROM users WHERE username = '' OR ''=''
Just need someone to confirm the URL encoding.
Upvotes: 2
Reputation: 12221
If username was something like '' OR ''=''# and password was 'anything' it would short circuit the query to become:
SELECT *
FROM users
WHERE username ='' OR ''=''#AND password ='anything'
You can short circuit the logic by injecting SQL into parameters.
Upvotes: 6
Reputation: 43023
The best way to mitigate SQL injection is to use parameters in all SQL queries.
If you concatenate strings to create a query, you can lower the risk of injection but that's not the best way to go. You can assume that there's always a risk if you concatenate. In the case of the query above, you can inject any value you want into the parameters.
Upvotes: 2
Related Questions
- SQL injection Attack
- Why is this prone to SQL Injection?
- SQL injection vulnerability found on website
- Possible SQL Injection? What happened?
- who knows this sql injection?
- SQL Injection in this code?
- Magento possible SQL injection?
- MySQL Injection Problem
- Apparently there is an SQL injection bug in my PHP code
- how to check sql injection in this php code?