Page 1 of 2
Is there anyone can tell me about sql injection?
Posted: Wed Jun 17, 2009 3:59 am
by goldensparrow
this is my php and sql code
Code: Select all
<?session_start();?>
<?php include("../include/config.php")?>
<?
$sql="select * from libraly_user where user_username='".$_POST['use']."' and user_password='".$_POST['pwd']."'";
$rs=mysql_query($sql)or die(mysql_error());
$row=mysql_fetch_assoc($rs);
$num=mysql_num_rows($rs);
if($num>0){
session_register("ss_use");
session_register("ss_id");
session_register("ss_lv");
$_SESSION['ss_use']=$_POST['use'];
$_SESSION['ss_lv']=$row['user_level'];
$_SESSION['ss_id']=session_id;
echo "<script>location.replace('index.php?pagetype=1');</script>";
}else{
echo "<script>location.replace('login.php?err=1');</script>";
}
?>
i want to test sql injection to my website so i entered aaa to username field and nopwd'or'1'='1 to password field but i can't access index.php page .
i've checked sql variable . it print that
select * from libraly_user where user_username='aaa' and user_password='nopwd\'or\'1\'=\'1'
this is reason why i can't access index page ($_POST['pwd']=nopwd\'or\'1\'=\'1)
but why ? $_POST['pwd']=nopwd\'or\'1\'=\'1
if anyone know pls tell me and if you don't understand what i'm meaning you can asked me
thanks
Re: Is there anyone can tell me about sql injection?
Posted: Wed Jun 17, 2009 4:22 am
by jazz090
the reason is you have magic quotes turned on which are giving you some protection as all quotes are automaticly escaped by php but by no means this is a safeguard and magic_quotes itself is now deprecated and is being removed in php6. if you turn off magic quotes it should work. however sql injection has been becoming less and less of a threat, i have tried to attempt sql injection but no luck. but for one thing 1=1 is not the only possibility. you could try just submitting " ' " (single quote) to the sql. mysql will then parse it as ''' and of course will throw a error. now for those developers who have error reporting turned on, sql is going to throw an error which is going to give away a lot about your sql code as well as database infrastructure. to play it on the safe side and as you probably may know always use mysql_real_escape_string(). if that cant be used, use addslashes() instead but note the former method is MUCH more effective than the latter.
Re: Is there anyone can tell me about sql injection?
Posted: Wed Jun 17, 2009 6:44 am
by goldensparrow
thank you for your answer and may i ask one more question ,
if i use this code ,the attacker had no way to attack my website by sql injection method for php4 ,right?
Re: Is there anyone can tell me about sql injection?
Posted: Wed Jun 17, 2009 10:27 am
by jazz090
like i said magic_quotes is being deprecated in php 5.3.0 and removed as of 6.0.0. inserting a POST variable in a sql query is like mysql suicide. what you have to do is first validate so you know the user has entered it in a correct format. i.e. the telephone number doest contain any text or if you are logging people in by email, then check to see if its a valid email address. this to some degree gives you protection. then you insert the validated string in mysql_real_escape_string() and you feed that into mysql. a rule of thumb is that no programming architecture is immune to hacks so you must use do your best to close as many doors as you can so the hacker cant get in. the 2 steps i mentioned provide some security in logging in but there are still ways attacker could gain access. e.g. brute force attacks, that is something to think about. but these are highly sophisticated hacks and take a long time to show results. so unless you have a very popular website i would say its not needed. at the end you should consider the importance of your website and find a balance between security and user experience because more often as security is increased, user experience tends to go down.
Re: Is there anyone can tell me about sql injection?
Posted: Wed Jun 17, 2009 1:24 pm
by kaisellgren
Don't use addslashes() and don't use Magic Quotes, use mysql(i)_real_escape_string(). If you can't disable Magic Quotes (a stupid web host - time to switch perhaps?), then you can stripslashes() all incoming request data in the beginning of the script.
goldensparrow wrote:if i use this code ,the attacker had no way to attack my website by sql injection method for php4 ,right?
Wrong. Most of the SQLi attacks (espacially the naive ones) can be beaten with addslashes() or Magic Quotes, but there are situations where addslashes() or Magic Quotes do not prevent SQLi.
Re: Is there anyone can tell me about sql injection?
Posted: Wed Jun 17, 2009 9:56 pm
by jgadrow
Technically speaking, prepared statements are the highest level of security currently available. However, this level of security does come with a performance price as you will need to communicate at least twice with the database server. Once to set the query you're going to run and at least once more to fill in the missing parameters. However, if you're performing batch updates, I believe there are optimizations that actually make this a preferred method of performing the queries but I'd have to perform some testing to verify it.
Re: Is there anyone can tell me about sql injection?
Posted: Wed Jun 17, 2009 11:59 pm
by goldensparrow
thank you very much for your answer , could you please tell me information about web penetration test and do you have any tools for test it , thanks again
Re: Is there anyone can tell me about sql injection?
Posted: Thu Jun 18, 2009 5:29 am
by kaisellgren
jgadrow wrote:Technically speaking, prepared statements are the highest level of security currently available.
Do remember that using Prepared Statements does not mean you can't have SQLi or other SQL related vulnerabilities such as a failure to handle transactions and race condition attacks.
goldensparrow wrote:could you please tell me information about web penetration test and do you have any tools for test it
Is this for me or someone else? So far I have never met a tool that could even match 1/10 of the knowledge of a security expert.
Re: Is there anyone can tell me about sql injection?
Posted: Thu Jun 18, 2009 6:12 am
by goldensparrow
i found some tools in this web
http://www.securityfocus.com/infocus/1722
but i don't know how do i start with those tools , if anyone that can use or know about it , please tell me
thanks
Re: Is there anyone can tell me about sql injection?
Posted: Thu Jun 18, 2009 7:51 am
by kaisellgren
goldensparrow wrote:i found some tools in this web
I recommend you to learn security rather than using some tools. Tools are for those who already know about security, because those tools can predominantly just smell the essence of security, but fail to do anything beyond helping you to fix naive vulnerabilities. If I am to use such tools, I would be coding some complex systems where it is too easy to make a mistake (for example, a filter that allows HTML). For sure you can always try tools as most of them are free, but relying on them is a big no.
You will understand how to use them as you learn PHP and security. Probably the easiest to use tool is
http://pixybox.seclab.tuwien.ac.at/pixy/download.php
Re: Is there anyone can tell me about sql injection?
Posted: Thu Jun 18, 2009 10:11 pm
by goldensparrow
Thanks you very much Kai
Re: Is there anyone can tell me about sql injection?
Posted: Tue Jun 23, 2009 4:19 am
by goldensparrow
i am learning about web security but i don't know how do i start , can anybody tell me . now i have some basic web programing but knowledge about network is zero . should i learn network more or do you have any sugguestion ?
thanks
Re: Is there anyone can tell me about sql injection?
Posted: Tue Jun 23, 2009 7:20 am
by kaisellgren
First learn PHP well, then SQL (mainly MySQL). After you have learned them, learn HTTP. These three will make you understand security issues better. Especially do not forget to learn HTTP, it helps to understand how things work.
Re: Is there anyone can tell me about sql injection?
Posted: Wed Jun 24, 2009 2:32 am
by goldensparrow
Should i learn network and OS ?
now I know OS basically but knowledge about network is zero.
Can i be security tester if i just know only PHP,SQL and HTTP ?
Re: Is there anyone can tell me about sql injection?
Posted: Wed Jun 24, 2009 5:46 am
by matthijs
goldensparrow wrote:Can i be security tester if i just know only PHP,SQL and HTTP ?
You can only be a security tester if you know what you need to know about security
At least, that's my opinion..