16 replies to this topic

[Affix]

SQL Injection is injecting SQL Through a Get or Post from a script into the SQL. for Example

member.php?id=6

The code for SQL may be

$id = $_GET['id']

$row= mysql_query('select * from `members` where id=$id');

This would allow the Attacker to Execute a Union Select statement.This would look like

member.php?id=' UNION SELECT concat(username,char(58),password) FROM members

A possible output would be

Affix:d8b9bb5e644429268d274cf03c6d6e06

All you would need to do is crack the hash

So how exactly do you stop this attack?

Its simple. There are many methods of protecting from SQL injection. I use 2. These are the ones Im going to teach you.

If its a simple numerical ID such as the example above Just add a Value Check. In the above code it would look like below.

$id = $_GET['id'];

if(!isnumeric($id)) { die("GTFO MY SERVER NOOB"); }

[/size][/font]$row= mysql_query('select * from `members` where id=$id');

Now if I tried to execute my Union Statement I would get an error

GTFO MY SERVER NOOB

Now what if you are using a string such as a search. a Union would be used the same way.

This way I would use the 'mysql_real_escape_string'

This would look like

$id = mysql_real_escape_string($_GET['id']);

This string it now Properly escaped and will not allow Succesful Execution of SQL Injection.

--------

Any Questions E-Mail : Affix[@]FedoraProject.org

[WingedPanther]

I like the error message :)

[Xav]

John has already written a SQL Injection tutorial: http://forum.codecal...injections.html

[Brandon W]

This is just a basic one as you can see. It only shows the very basics, John's is an extensive version.

[Xav]

Quote

This is just a basic one as you can see. It only shows the very basics, John's is an extensive version.

I can see that, but John's tutorial describes SQL injections in a more comprehensive way, I feel.

[John]

It never hurts to see another example.

Is the function isnumeric() your own or a typo for is_numeric()? As a side note, checking for type isn't necessarily a way to protect against SQL injections rather its a means to validate your data, and for table id's I find it better to rely on ctype_digit.

Good info none-the-less.

[Affix]

yeah sorry about the typo It was the first tutorial I ever wrote. I wrote this about 3-4 Years ago

[Brandon W]

That is a long time ago, why not improve it with your new knowledge?

[Affix]

I will When I finnish Writing my paper on SQL Injection

[Brandon W]

Great, I can't wait for your next tutorial. What's your paper for?

[Affix]

Its a paper for Fun :)

When I get bored I write whitepapers to aid in App development, System Security, System Hacking and stuff like that.

I have been told by University Professors I have the equivelent knowlege of IT as someone with a degree in Systems Engineering.