Page 1 of 1

Sql Injections (Escaping)

Posted: Thu Nov 12, 2009 3:01 pm
by clR3vv
For my security class my teacher said I can choose what I learn and do everything on my own. I decided to start with mysql injections. I started to setup a page to demonstrate one but have run in to problems in making my code error.

This is part of my php code

Code: Select all

$mysql = "SELECT * From Users WHERE Email='$email' AND Password='$password';";
        $result = mysql_query($mysql);
In the html form that gets the email (php gathers the value from the post value) I enter <user' OR 1=1; -- > (without the brackets. I have tried a few different things but all end with it not escaping and the injection failing. Some people have asked about my php.ini file and magic quotes (on by default) and I even turned that off (then restarted apache).

I expect that the injection should select user on the table and display the whole row ignoring if the password is correct or not.

Any help is greatly appreciated!

Thanks,

clR3vv

Re: Sql Injections (Escaping)

Posted: Thu Nov 12, 2009 3:40 pm
by VladSun

Code: Select all

$mysql = "SELECT * From Users WHERE Email='$email' AND Password='$password';";
echo $mysql; // see what you've done ; )
$result = mysql_query($mysql);

Re: Sql Injections (Escaping)

Posted: Thu Nov 12, 2009 7:07 pm
by clR3vv
it gives me this...
SELECT * From Users WHERE Email='user' OR 1=1; --' AND Password='';

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/login.php on line 19

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/login.php on line 21
Not Logged in
Here is my code if that helps at all.. And yes there is a user in the db named user.

http://pastebin.com/m7af347ec

Re: Sql Injections (Escaping)

Posted: Fri Nov 13, 2009 3:02 am
by VladSun
And what does mysql_error() says about it ;) ?

Re: Sql Injections (Escaping)

Posted: Wed Dec 09, 2009 12:16 am
by nga
usually it has st to do with you connection to the database. double check it!

And your input is not escaped at all?

Are you trying to hack your code or trying to test if injection is prevented?