Sql Injections (Escaping)

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
clR3vv
Forum Newbie
Posts: 2
Joined: Wed Nov 11, 2009 2:05 am

Sql Injections (Escaping)

Post by clR3vv »

For my security class my teacher said I can choose what I learn and do everything on my own. I decided to start with mysql injections. I started to setup a page to demonstrate one but have run in to problems in making my code error.

This is part of my php code

Code: Select all

$mysql = "SELECT * From Users WHERE Email='$email' AND Password='$password';";
        $result = mysql_query($mysql);
In the html form that gets the email (php gathers the value from the post value) I enter <user' OR 1=1; -- > (without the brackets. I have tried a few different things but all end with it not escaping and the injection failing. Some people have asked about my php.ini file and magic quotes (on by default) and I even turned that off (then restarted apache).

I expect that the injection should select user on the table and display the whole row ignoring if the password is correct or not.

Any help is greatly appreciated!

Thanks,

clR3vv
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Sql Injections (Escaping)

Post by VladSun »

Code: Select all

$mysql = "SELECT * From Users WHERE Email='$email' AND Password='$password';";
echo $mysql; // see what you've done ; )
$result = mysql_query($mysql);
There are 10 types of people in this world, those who understand binary and those who don't
clR3vv
Forum Newbie
Posts: 2
Joined: Wed Nov 11, 2009 2:05 am

Re: Sql Injections (Escaping)

Post by clR3vv »

it gives me this...
SELECT * From Users WHERE Email='user' OR 1=1; --' AND Password='';

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/login.php on line 19

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/login.php on line 21
Not Logged in
Here is my code if that helps at all.. And yes there is a user in the db named user.

http://pastebin.com/m7af347ec
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Sql Injections (Escaping)

Post by VladSun »

And what does mysql_error() says about it ;) ?
There are 10 types of people in this world, those who understand binary and those who don't
nga
Forum Commoner
Posts: 46
Joined: Mon Aug 17, 2009 3:05 am

Re: Sql Injections (Escaping)

Post by nga »

usually it has st to do with you connection to the database. double check it!

And your input is not escaped at all?

Are you trying to hack your code or trying to test if injection is prevented?
Post Reply