How do I test entering username and password to see if a MySQL injection would work?
I have tried alot of different combinations but still don't know if I am doing it correctly, all the tutorials on the net say use '1=1 or something like '1 OR 1 but I don't know how to test if they are working or not.
1) Do I put a username (any made up username) first and then ' followed by mysql query?
2) The same for password? followed by '
3) What do I put after the '
greg posted this at 03:43—20th April 2008.
He has: 365 posts
Joined: Nov 2005
If you used mysql_real_escape_string on any variables you run through the query then you don't really need to check it.
That function will "escape" certain chars in a string like ' " etc so they are read as text only.
So regardless of what a user types in an input box where that input data is stored in a variable and used in a query, it will only ever be used as text, so it can't change your query.
So if a user enters into an input field ' OR '1=1' , instead of it changing your query to - where username = '' OR '1=1'
The actual string will contain the TEXT - '' OR 1=1''
So it is now looking for a user called by the name: '' OR 1=1''
("single quote space OR 1 = 1 single quote)
I suppose you could test it by entering that data into your DB as a username to test see if it does find a username by that name. If it finds a user called: '' OR 1=1'' then you know it works fine.
You could also test it by trying to change the query yourself to look for something you know exists.
So if you have a username in the DB called "drew", type this in your input box
' OR 'drew'
It shouldnt work if you escaped the string first, as it will be looking for a username called: ' OR 'drew'
(single quote OR single quote drew single quote)
I never really test that far as I put all vars that go through the query through real_escape_string first, I just trust it as I know how escaping chars in PHP works.
This might help you
http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
And lots of other info
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
www.imagehost-4u.com
www.hotnews-4u.com
drew22299 posted this at 16:50—20th April 2008.
He has: 107 posts
Joined: Mar 2006
That's a great explanation as always, thanks
greg posted this at 18:01—20th April 2008.
He has: 365 posts
Joined: Nov 2005
Glad to help.
One other thing I will mention, a lesson I learned recently.
The mysql_real_escape_string() function needs a database connection FIRST to actually work.
Something about it using the database char set for it's escape parameters (something like that).
So have the mysql_connect() and mysql_select_db() before you escape the strings. I found it returns an error if you don't, and as with all PHP errors it halts the PHP script completely so stops the page working/loading.
www.imagehost-4u.com
www.hotnews-4u.com
pr0gr4mm3r posted this at 18:02—22nd April 2008.
He has: 470 posts
Joined: Sep 2006
If you want to escape the string before connecting to the database, you can use mysql_escape_string(). This function is probably safe to use as long as your database doesn't use some funky charset.
See this thread for more info.
greg posted this at 22:56—23rd April 2008.
He has: 365 posts
Joined: Nov 2005
According to PHP.net that is depreciated, and does not escape % and _.
Besides, if you are using mysql_real_escape you are doing a database query, and if you are doing a database query you have a connection.
The three are a package, and without a DB connection and a query, the escape is pointless.
And they will work on and update the real_escape, as the other one is depreciated it wont receive improvements.
Also, I think the fact it escapes the string according to the database's current character set makes it more robust and less likely to give an error.
So in my opinion you should use real_escape.
www.imagehost-4u.com
www.hotnews-4u.com