php sql injection

Question

I have been surfing these days and got to know about SQL INJECTION ATTACK. i have tried to implement on my local machine to know how this can be done so that i can prevent it in my system...

i have written code like this

PHP Code :

if(count($_POST) > 0){

       $con = mysql_connect("localhost","root","") or die(mysql_error());
    mysql_select_db('acelera',$con) or die(mysql_error()); //
    echo $sql = 'SELECT * FROM acl_user WHERE user_email = "'.$_POST['email'].'" AND user_password = "'.$_POST['pass'].'"';
    $res_src = mysql_query($sql);
    while($row = mysql_fetch_array($res_src)){
        echo "<pre>";print_r($row);echo "</pre>";
    }
}

HTML CODE :

<html>
<head></head>
<body>

 EMAIL : <input type="text" name="email" id="email" /><br />
    PASWD : <input type="text" name="pass" id="pass" /><br />
    <input type="submit" name="btn_submit" value="submit email pass" />
        </body>
</html>

by this code if i give input as " OR ""=" then sql injection should get done. but it is not working properly. in post data i have addition slashes if i give above input in password field.

can any one show me how actually SQL INJECTION ATTACK can be done?(code will be more appreciable)

Answer 1

How to prevent a SQl injection

1) Filter Input- Stop believing your users: The biggest threat to the application is from its users. Users need not be well mannered and obedient as you are expecting. Some users have really bad intentions and some simply try to test their hacking skills. Whatever code you are going to write, write it using the best practices and consider the security aspects of it. Validate every field in the form

2) Use database wrapper classes or PDO – Database wrappers or PDO (in PHP) can reduce the risk of direct access of the input values to the database. Prepared statements can be used along with PDO as shown below.

http://www.itechnicalblog.com/what-is-a-sql-injection-and-how-to-fix-it/

Answer 2

change it to : noe if you input password as something OR 1=1 then it will cause injection

   <?PHP if(count($_POST) > 0){

   $con = mysql_connect("localhost","root","") or die(mysql_error());
   mysql_select_db('acelera',$con) or die(mysql_error()); //
   echo $sql = "SELECT * FROM acl_user WHERE user_email = ".$_POST['email']." AND user_password = ".$_POST['pass'];
   $res_src = mysql_query($sql);
   while($row = mysql_fetch_array($res_src)){
    echo "<pre>";print_r($row);echo "</pre>";
   }
   }
   ?>


  <html>
  <head></head>
  <body>
  <form action="" method="post">
  EMAIL : <input type="text" name="email" id="email" /><br />
  PASWD : <input type="text" name="pass" id="pass" /><br />
  <input type="submit" name="btn_submit" value="submit email pass" />
  </form>
  </body>
  </html>

Answer 3

As everyone already said - you probably have magic quotes on. Though here is a trick: this function makes SQL Injection harder to perform, but not completely impossible.

Moreover even addslashes() can't help you with it. A possible attacker can try multi-byte charsets and some other tricks.

Here is a good article about it: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

Keeping short: if you use multi-byte chars in single-byte environment some of them will become two single-byte chars - slashes, quotes, etc.

Answer 4

The SQL you are trying to form should look like this:

SELECT * FROM acl_user WHERE user_email = "a@a.com" Or 1=1; --" AND user_password = ""

Try entering:

a@a.com" Or 1=1; --

As the e-mail address and ignore the password.

The -- makes the rest of the statement ignored.

Here's some good info on the matter: http://php.net/manual/en/security.database.sql-injection.php

Answer 5

You probably have magic quotes enabled. Check the return value of get_magic_quotes_gpc.

"Magic quotes" is an antique attempt from PHP to auto-magically prevent SQL injection, but in current versions it has been deprecated and you are encouraged to use prepared statements to avoid SQL injection.

See here how to disable them so you can experiment with SQL injection.

Answer 6

I suggest looking at Acunetix, or something similar and free like this add-on for firefox:

https://addons.mozilla.org/en-US/firefox/addon/sql-injection/

It's quicker for testing against SQL Injections and also scans all forms / maybe methods of SQLi you were unaware of. Acunetix extends this and tests for RFI, XSS etc.

Using code isn't efficient.

Answer 7

I think you get the additional slash due to magic quotes http://ch2.php.net/magic_quotes

Most modern PHP installations have turned it off, so you don't want to rely on that. Just use mysql_real_escape_string() or, better, use PDO http://ch2.php.net/pdo

Answer 8

I think in your php.ini magicquotes or something like it is one. this means that special characters are automaticly escaped.

On this page in the php manual is explained how to turn it off:

http://www.php.net/manual/en/security.magicquotes.disabling.php

Answer 9

use:

mysql_real_escape_string($_POST['thing'])

I would also suggest using PDO or MySQLI to connect/query your database. the old mysql_ commands are a throback to PHP3 the latter ovver performance improvements too.

Here is a good (but simplistic) introduction to how SQL Injection works via PHP/MySQL: http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php