Is there anyone can tell me about sql injection?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Is there anyone can tell me about sql injection?

Post by goldensparrow »

this is my php and sql code

Code: Select all

 
<?session_start();?>
<?php include("../include/config.php")?>
<?
$sql="select * from libraly_user where user_username='".$_POST['use']."' and user_password='".$_POST['pwd']."'";
$rs=mysql_query($sql)or die(mysql_error());
$row=mysql_fetch_assoc($rs);
$num=mysql_num_rows($rs);
if($num>0){
    session_register("ss_use");
    session_register("ss_id");
    session_register("ss_lv");
    $_SESSION['ss_use']=$_POST['use'];
    $_SESSION['ss_lv']=$row['user_level'];
    $_SESSION['ss_id']=session_id;
    echo "<script>location.replace('index.php?pagetype=1');</script>";
}else{
    echo "<script>location.replace('login.php?err=1');</script>";
}
?>
 
i want to test sql injection to my website so i entered aaa to username field and nopwd'or'1'='1 to password field but i can't access index.php page .

i've checked sql variable . it print that

select * from libraly_user where user_username='aaa' and user_password='nopwd\'or\'1\'=\'1'

this is reason why i can't access index page ($_POST['pwd']=nopwd\'or\'1\'=\'1)
but why ? $_POST['pwd']=nopwd\'or\'1\'=\'1

if anyone know pls tell me and if you don't understand what i'm meaning you can asked me

thanks
Last edited by Benjamin on Wed Jun 17, 2009 9:33 pm, edited 1 time in total.
Reason: Added [code=php] tags.
User avatar
jazz090
Forum Contributor
Posts: 176
Joined: Sun Apr 12, 2009 3:29 pm
Location: England

Re: Is there anyone can tell me about sql injection?

Post by jazz090 »

the reason is you have magic quotes turned on which are giving you some protection as all quotes are automaticly escaped by php but by no means this is a safeguard and magic_quotes itself is now deprecated and is being removed in php6. if you turn off magic quotes it should work. however sql injection has been becoming less and less of a threat, i have tried to attempt sql injection but no luck. but for one thing 1=1 is not the only possibility. you could try just submitting " ' " (single quote) to the sql. mysql will then parse it as ''' and of course will throw a error. now for those developers who have error reporting turned on, sql is going to throw an error which is going to give away a lot about your sql code as well as database infrastructure. to play it on the safe side and as you probably may know always use mysql_real_escape_string(). if that cant be used, use addslashes() instead but note the former method is MUCH more effective than the latter.
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: Is there anyone can tell me about sql injection?

Post by goldensparrow »

thank you for your answer and may i ask one more question ,
if i use this code ,the attacker had no way to attack my website by sql injection method for php4 ,right?
User avatar
jazz090
Forum Contributor
Posts: 176
Joined: Sun Apr 12, 2009 3:29 pm
Location: England

Re: Is there anyone can tell me about sql injection?

Post by jazz090 »

like i said magic_quotes is being deprecated in php 5.3.0 and removed as of 6.0.0. inserting a POST variable in a sql query is like mysql suicide. what you have to do is first validate so you know the user has entered it in a correct format. i.e. the telephone number doest contain any text or if you are logging people in by email, then check to see if its a valid email address. this to some degree gives you protection. then you insert the validated string in mysql_real_escape_string() and you feed that into mysql. a rule of thumb is that no programming architecture is immune to hacks so you must use do your best to close as many doors as you can so the hacker cant get in. the 2 steps i mentioned provide some security in logging in but there are still ways attacker could gain access. e.g. brute force attacks, that is something to think about. but these are highly sophisticated hacks and take a long time to show results. so unless you have a very popular website i would say its not needed. at the end you should consider the importance of your website and find a balance between security and user experience because more often as security is increased, user experience tends to go down.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Is there anyone can tell me about sql injection?

Post by kaisellgren »

Don't use addslashes() and don't use Magic Quotes, use mysql(i)_real_escape_string(). If you can't disable Magic Quotes (a stupid web host - time to switch perhaps?), then you can stripslashes() all incoming request data in the beginning of the script.
goldensparrow wrote:if i use this code ,the attacker had no way to attack my website by sql injection method for php4 ,right?
Wrong. Most of the SQLi attacks (espacially the naive ones) can be beaten with addslashes() or Magic Quotes, but there are situations where addslashes() or Magic Quotes do not prevent SQLi.
User avatar
jgadrow
Forum Newbie
Posts: 22
Joined: Wed Jun 17, 2009 7:56 pm
Location: Cincinnati, Ohio
Contact:

Re: Is there anyone can tell me about sql injection?

Post by jgadrow »

Technically speaking, prepared statements are the highest level of security currently available. However, this level of security does come with a performance price as you will need to communicate at least twice with the database server. Once to set the query you're going to run and at least once more to fill in the missing parameters. However, if you're performing batch updates, I believe there are optimizations that actually make this a preferred method of performing the queries but I'd have to perform some testing to verify it.
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: Is there anyone can tell me about sql injection?

Post by goldensparrow »

thank you very much for your answer , could you please tell me information about web penetration test and do you have any tools for test it , thanks again
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Is there anyone can tell me about sql injection?

Post by kaisellgren »

jgadrow wrote:Technically speaking, prepared statements are the highest level of security currently available.
Do remember that using Prepared Statements does not mean you can't have SQLi or other SQL related vulnerabilities such as a failure to handle transactions and race condition attacks.
goldensparrow wrote:could you please tell me information about web penetration test and do you have any tools for test it
Is this for me or someone else? So far I have never met a tool that could even match 1/10 of the knowledge of a security expert.
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: Is there anyone can tell me about sql injection?

Post by goldensparrow »

i found some tools in this web
http://www.securityfocus.com/infocus/1722

but i don't know how do i start with those tools , if anyone that can use or know about it , please tell me

thanks
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Is there anyone can tell me about sql injection?

Post by kaisellgren »

goldensparrow wrote:i found some tools in this web
I recommend you to learn security rather than using some tools. Tools are for those who already know about security, because those tools can predominantly just smell the essence of security, but fail to do anything beyond helping you to fix naive vulnerabilities. If I am to use such tools, I would be coding some complex systems where it is too easy to make a mistake (for example, a filter that allows HTML). For sure you can always try tools as most of them are free, but relying on them is a big no.

You will understand how to use them as you learn PHP and security. Probably the easiest to use tool is http://pixybox.seclab.tuwien.ac.at/pixy/download.php
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: Is there anyone can tell me about sql injection?

Post by goldensparrow »

Thanks you very much Kai
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: Is there anyone can tell me about sql injection?

Post by goldensparrow »

i am learning about web security but i don't know how do i start , can anybody tell me . now i have some basic web programing but knowledge about network is zero . should i learn network more or do you have any sugguestion ?

thanks
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Is there anyone can tell me about sql injection?

Post by kaisellgren »

First learn PHP well, then SQL (mainly MySQL). After you have learned them, learn HTTP. These three will make you understand security issues better. Especially do not forget to learn HTTP, it helps to understand how things work.
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: Is there anyone can tell me about sql injection?

Post by goldensparrow »

Should i learn network and OS ?

now I know OS basically but knowledge about network is zero.

Can i be security tester if i just know only PHP,SQL and HTTP ?
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Is there anyone can tell me about sql injection?

Post by matthijs »

goldensparrow wrote:Can i be security tester if i just know only PHP,SQL and HTTP ?
You can only be a security tester if you know what you need to know about security

At least, that's my opinion..
Post Reply