Reputation: 179
I just learning SQL injection and try to inject my PHP based code (with PHP Phalcon framework). I try to do SQL injection in my login. However, when I try to do the injection, I cannot do it and I do not know whether it is caused by my code is already robust from SQL injection or that I do the injection in wrong way.
My login section contains of email and password. For the email section, I insert [email protected]' or 1=1
and insert some random password.
However, there is an error message showing something like this:
Scanning error before ' LIMIT :APL0:' when parsing: SELECT [Test\\Models\\Login].* FROM [TEST\\Models\\Login] WHERE email='[email protected]' or 1=1 --' LIMIT :APL0: (119)
Here is the verify login code:
public function verifyLogin ($email, $password) {
$records = $this->findFirst("email='$email'");
if ($records && sha1($password)==$records->password) {
return ($records->id);
}
return (false);
}
How to know whether it is my injection that is wrong or the code is already robust? And if the injection is still wrong, how to fix it?
Upvotes: 0
Views: 615
Reputation: 11485
The way you wrote your code irrespective of whether it is Phalcon or not is prone to SQL injection. I am not sure if you actually want to perform SQL injection in the script above or you are trying to figure out ways to protect against it.
If it is the latter, you can always bind your parameters:
public function verifyLogin ($email, $password) {
$record = $this->findFirst(
'conditions' => 'email = :email:',
'bind' => [
'email' => $email,
],
);
if ($record && sha1($password) == $records->password) {
return ($records->id);
}
return false;
}
The above code uses bound parameters, a feature of PDO that offers better security against SQL injections.
Upvotes: 4