5

I'd like to note first that this is an education attempt on my own database to better understand MySQL injections to protect my own code.

I need to work out a couple of examples of how a MySQL injection can be constructed against the following code. It's a basic user login system where I'm accepting the username and password without any escaping 

$user = (!empty($_POST['user'])) ? $_POST['user'] : '';
$pass = (!empty($_POST['pass'])) ? $_POST['pass'] : '';

The MySQL query then tries to find the entered username and password in my table called users, as follows: 

$res = mysql_query("SELECT * from users where user='{$user}' AND pass='{$pass}'");

This is un-escaped input, and I'm trying to come up with MySQL injections to:

  1. bypass the password knowing a legitimate user's username (one user in my users table is tester), and
  2. an injection that would drop the users table in its entirety.

I've tried a couple of MySQL injection examples from Wikipedia, but I'm guessing the {} in my query is preventing the injection, so I would appreciate some help from those who are confident with this, and thank you to all.

Improve this question
1
  • 1
    please list the ones you already tried Commented Oct 2, 2009 at 9:02

6 Answers 6

Reset to default
5

Something like this should do:

  1. To log in as user "foo", set the username to "foo' -- "

This will make your query look like

$res = mysql_query("SELECT * from users where user='foo' -- ' AND pass=''");

The "-- " means the rest of the line is commented out

  1. Not sure if this will work but try setting the username to "foo' OR (DROP TABLE users) -- "

This will make your query look like:

$res = mysql_query("SELECT * from users where user='foo' OR (DROP TABLE users) -- ' AND pass=''");

might not accept that though - I think subqueries can only SELECT.

The mysql_query function will only run one query - others would let you do this:

$res = mysql_query("SELECT * from users where user='foo'; DROP TABLE users -- ' AND pass=''");
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Multiple queries using mysql_query is unsupported as stated in the doc : mysql_query() sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified link_identifier .
3

You will not be able to DROP the table because using mysql_query you can't send multiple queries.

Improve this answer

Comments

1

Here's a long list.

http://ha.ckers.org/sqlinjection/

Your code will obviously fail almost all the test as it is totally unprotected.

Improve this answer

Comments

1 
$user = (!empty($_POST['user'])) ? $_POST['user'] : '';
$pass = (!empty($_POST['pass'])) ? $_POST['pass'] : '';

$user = mysql_real_escape_string($user);
$pass = msyql_real_escape_string($pass);

$res = mysql_query("SELECT * from users where user='{$user}' AND pass='{$pass}'");

That will protect code for you. Anyone will not be able to DROP the table.

Improve this answer

Comments

0

{} are not the reason. It might be that php's Magic Quotes (now deprecated) protect you from rather simplistic attacks.

However, you can switch them off and then test again.

Improve this answer

Comments

0

Try this one out and see if it dumps the entire table:

For both username and password, I enter:

' OR 1=1 AND '}' '=

This of course assumes that I know you are using the curly brace to wrap the data values.

I'm really not sure how MySQL handles mixed logic like that, since it's not enclosed in parenthesis, so let me know if it works!

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.