Testing a SQL injection attack

Question

I am trying to inject into a dummy website I have made, its a simple form which uses the text input to send data to my php file and then outputs the data gathered. The following is my code for the SQL.

$id = $_GET['id'];
$id = $_GET['id'];

        $data = $conn->query('SELECT * FROM users WHERE username = ' . $conn->quote($id));

        foreach($data as $row) {
         echo $row['id'].' '.$row['username'];
         }

When I try to use things such as unions I get no data back and if I put an apostrophe at the end of the URL I don't get a MySQL error. Could someone please explain why the site is secure from SQL injections?

As there are some confusions as to what I asked my final goal is to be able to get into the information schema so I have been trying to use statements like to get into the schema but without success:

' and 1=1 union select table_name,table_schema from information_schema.tables where table_schema='users' #

Answer 1

Your injected SQL String should look like this

-1'/**/UNION/**/SELECT/**/1,@@VERSION/**/FROM/**/users/**/WHERE/**/1='1

as you need to close the last ' in the final sql query

Update:

like Your Common Sense pointed out

For some strange reason the code in the question mysteriously has been changed to invulnerable PDO based code. Which leads me to believe that whole performance were just a mere trolling.

Answer 2

As it can be clearly seen from either question and answers, most people don't understand what injection is. For some strange reason everyone takes injection consequences for injection itself. While injection is just a query creation. No more, no less.

So, the result of injection is not whatever data returned, but mere SQL query string. Thus, what the OP have to check is the resulting SQL query. It is extremely simple a task, as primitive as just echoing the query string out. This will reveal injection possibility immediately, without toilsome guesswork and sophisticated query building.

Simple output like this

SELECT * from users WHERE username = 'Bill\''

will tell you that magic quotes are on and whole question is a thousand-times-duplicate and not-a-real-one at once.

UPDATE

For some strange reason the code in the question mysteriously has been changed to invulnerable PDO based code. Which leads me to believe that whole performance were just a mere trolling.

Answer 3

Other apparently may have missed what you were asking...

You are INTENTIONALLY trying to sql-inject your own site, such as for personal learning on how NOT to, but also see what impacts sql-injection CAN do. If so, take a look at your statement and see "what would I need to add to fake it out".

"SELECT * from users WHERE username = '$id'"

If the user puts a value such as "Bill" for the $id, it would become

"SELECT * from users WHERE username = 'Bill'"

and run no problem. Now, you want to inject and see ALL users, a common way is to close the quote and then add something else that will always return true... such as a user puts a value of

' OR 1=1 ;--

The above would result in

"SELECT * from users WHERE username = '' OR 1=1;-- '"

The semi-colon and dashes are important to "finish" the original query, and then indicate that anything after the dashes are comments so it won't try to execute anything AFTER the otherwise dangling close quote from your original query build construct.

Hopefully that helps answer why you may be failing while TRYING to inject into your own site.

COMMENT FEEDBACK

I don't know why my version would not work, I am not trying to union anything, just force an all records returned.

With respect to your UNION clause, that looks ok, but if your users table has 3 columns and your UNION is only 2 columns, that should fail as the union should be the same number of columns as in the original query. THAT would cause a failure on execution, but not enough specific information to confirm.

Answer 4

Most likely, you have magic quotes enabled, which is saving your otherwise-vulnerable code.

Don't rely on it.