why i can not do sql injection testing using mysql and php-Collection of common programming errors

11 years ago
admin
3 minutes

i was trying to check a web site for an sql injection attack and amazed to see it not very very simple to prevent because below is the simple code .

$sql="select * from user_acount where login_id='".$username."' and password='".$password."' and status='1' ";

i can not do any sql injection to test it. i wrote the following

1st Attempt to check sql injection

Login:  admin'--
Password:'i typed nothing here '

Result Wrong password you cannot login.

2nd:

Login:  admin or 1=1 --' 
Password:''

Result Wrong password you cannot login.

3rd:

Login:  admin' or 1=1 
Password:''

4th: Login: admin or 1=1′– Password:”

Result Wrong password you cannot login.

Can anyone please explain what is stopping me ? i am not using prepared statements nor i am using any filter class neither i have real_escape_string ?

  1. Two possibilities:

    1. There is no login_id with admin, therefore the query looks like:

      select * from user_acount where login_id='admin'

    2. magic_quotes have been enabled, resulting in queries like:

      select * from user_acount where login_id='admin\'--' and password='' and status='1'
select * from user_acount where login_id='admin or 1=1 --\'' and password='' and status='1'

      The last query will always fail, even if magic quotes was turned off:

      select * from user_acount where login_id='admin or 1=1 --'' and password='' and status='1'

      Because -- comments within strings do not work, the query is interpreted like:

      select * from user_acount where login_id='STRING'' and password='' and status='1'

      As you can see, this will result in a syntax error after 'STRING'

    • Magic Quotes might be turned on (so user input is automatically processed to be better suited for composing database queries).
    • Register Globals might be turned off (so you would have to use $_REQUEST['username'] or related instead of $username).
    • There might be a bug in your programm, that prevents the input admin'-- from being stored in $username (e. g. form element names do not match variable names).

  3. You are entering a password which includes quotes. This breaks your SQL query, and presumably the code does not distinguish between an error and a legitimate “no such user” result, so you get the wrong password message.

    Try leaving the password blank.

  4. You don’t actually call the real_escape_string() method, but I think magic_quotes_gpc is set to true.

    When magic_quotes are on, all ‘ (single-quote), ” (double quote), \ (backslash) and NUL’s are escaped with a backslash automatically.

    Runtime Configuration – magic_quotes_gpc

  5. Have you tried with:

    Login:  admin' or '1=1  
Password: admin' or '1=1

    Also check for magic quotes turned on