ansaurus

Question

How vulnerable is my code to SQL injection?

Answer 1

+8 A:

"Could someone log into this page and not need the password": Yes, trivially. Try the username yourfavoriteadmin' OR 1; --.

May as well link this, since certainly somebody will...

chaos 2009-08-17 13:32:09

I tried that but it didn't work. You sure that works with my single quotes? Can you elaborate and explain? And yes, I know that comic. :)

tkotitan 2009-08-17 13:55:16

If it doesn't work, that's good news, but I can't say I know why not. :) `--` is like `//` in C++, designates the rest of the line as a comment.

chaos 2009-08-17 14:03:46

Hmm, is there a mysql feature that disables comments?

tkotitan 2009-08-17 14:29:59

It also depends on your version of PHP - PHP will have its various "magic" cleaning functions on or off depending on the whim of the PHP team that day of the week. So some vulnerablities might not work so long as you are running on exactly the right version of PHP (unless someone then uses the encoding vulnerabilities in PHPs magic functions to bypass them).

David 2009-08-17 15:02:20

Answer 2

A:

try where $_POST['username'] is:

no one'; delete from users --

KM 2009-08-17 13:34:01

multiple statements typically have no effect with php's mysql interface

Paul Dixon 2009-08-17 13:35:32

Cute, but you forgot the `FROM`.

chaos 2009-08-17 13:36:24

the mysqli interface will perform multiple queries if you use mysqli::multi_query, but then you're just asking for trouble :)

Paul Dixon 2009-08-17 13:37:18

@chaos, added the "from", it is optional where I work most of the time (SQL Server)

KM 2009-08-17 13:39:40

Answer 3

+7 A:

It’s very vulnerable. If you know about all the nifty stuff like mysql_real_escape_string why do you waste your time and ask this question? You should be all over that code, fixing it. You know, like, NOW.

Bombe 2009-08-17 13:34:20

my thoughts exactly

dotjoe 2009-08-17 13:36:16

it's fixed, I was just wondering how long the back door is open, thanks guys!

tkotitan 2009-08-17 13:41:21

Answer 4

A:

Always clean up your data before using in any SQL query, if you're working with PHP >= 5.2, you have the Filter functions.

Simple question : why don't change the order WHERE pass = 'blabl' AND username = 'bla' ? Have you an index on this fields ?

Another question: what is the point with this line

$uname = $_POST['username'];

adding a variable, just for quoting/double-quoting effect in concatenation ? Without filtering nor escaping data ?

mere-teresa 2009-08-17 13:43:05

Answer 5

+2 A:

The code as written isn't technically vulnerable at all. Your SQL query contains variable $username but you never initialize it or set it to anything. That's a bug and you'll never get a valid result from MySQL.

Once you fix that bug, however, you should be escaping your variables with mysql_real_escape_string().

http://us.php.net/manual/en/function.mysql-real-escape-string.php

2009-08-17 14:44:44

+1 for pointing out the typo. Now, just hope that register_globals is off, as that could allow people to "initialize" $username.

Michael Stum 2009-08-17 14:47:00

fixed. good catch. I didn't copy and paste my actual code for obvious reasons. ;)

tkotitan 2009-08-17 14:47:12

I thought about register_globals, but since it's off by default and it's a pretty basic question, my guess is that the user was unlikely to have enabled it.

2009-08-17 14:51:08

ansaurus

tags:

views:

answers:

How vulnerable is my code to SQL injection?

related questions