{"id":2578,"date":"2022-08-30T15:26:02","date_gmt":"2022-08-30T15:26:02","guid":{"rendered":"https:\/\/unknownerror.org\/index.php\/2014\/02\/04\/why-i-can-not-do-sql-injection-testing-using-mysql-and-php-collection-of-common-programming-errors\/"},"modified":"2022-08-30T15:26:02","modified_gmt":"2022-08-30T15:26:02","slug":"why-i-can-not-do-sql-injection-testing-using-mysql-and-php-collection-of-common-programming-errors","status":"publish","type":"post","link":"https:\/\/unknownerror.org\/index.php\/2022\/08\/30\/why-i-can-not-do-sql-injection-testing-using-mysql-and-php-collection-of-common-programming-errors\/","title":{"rendered":"why i can not do sql injection testing using mysql and php-Collection of common programming errors"},"content":{"rendered":"

i was trying to check a web site for an sql injection attack and amazed to see it not very very simple to prevent because below is the simple code .<\/p>\n

$sql=\"select * from user_acount where login_id='\".$username.\"' and password='\".$password.\"' and status='1' \";\n<\/code><\/pre>\n
i can not do any sql injection to test it. i wrote the following<\/p>\n
1st Attempt to check sql injection<\/p>\n
Login:  admin'--\nPassword:'i typed nothing here '\n<\/code><\/pre>\n
Result Wrong password you cannot login.<\/p>\n
2nd:<\/p>\n
Login:  admin or 1=1 --' \nPassword:''\n<\/code><\/pre>\n
Result Wrong password you cannot login.<\/p>\n
3rd:<\/p>\n
Login:  admin' or 1=1 \nPassword:''\n<\/code><\/pre>\n
4th: Login: admin or 1=1′– Password:”<\/p>\n
Result Wrong password you cannot login.<\/p>\n
Can anyone please explain what is stopping me ? i am not using prepared statements nor i am using any filter class neither i have real_escape_string ?<\/p>\n
    \n
  1. \n
    Two possibilities:<\/p>\n
      \n
    1. \n
      There is no login_id<\/code> with admin<\/code>, therefore the query looks like:<\/p>\n
      select * from user_acount where login_id='admin'\n<\/code><\/pre>\n<\/li>\n
    2. \n
      magic_quotes<\/code> have been enabled, resulting in queries like:<\/p>\n
      select * from user_acount where login_id='admin\\'--' and password='' and status='1'\nselect * from user_acount where login_id='admin or 1=1 --\\'' and password='' and status='1'\n<\/code><\/pre>\n
      The last query will always fail, even if magic quotes was turned off:<\/p>\n
      select * from user_acount where login_id='admin or 1=1 --'' and password='' and status='1'\n<\/code><\/pre>\n
      Because --<\/code> comments within strings do not work, the query is interpreted like:<\/p>\n
      select * from user_acount where login_id='STRING'' and password='' and status='1'\n<\/code><\/pre>\n
      As you can see, this will result in a syntax error after 'STRING'<\/code><\/p>\n<\/li>\n<\/ol>\n<\/li>\n
    3. \n
        \n
      • Magic Quotes might be turned on (so user input is automatically processed to be better suited for composing database queries).<\/li>\n
      • Register Globals might be turned off (so you would have to use $_REQUEST['username']<\/code> or related instead of $username<\/code>).<\/li>\n
      • There might be a bug in your programm, that prevents the input admin'--<\/code> from being stored in $username<\/code> (e. g. form element names do not match variable names).<\/li>\n<\/ul>\n<\/li>\n
      • \n
        You are entering a password which includes quotes. This breaks your SQL query, and presumably the code does not distinguish between an error and a legitimate “no such user” result, so you get the wrong password message.<\/p>\n
        Try leaving the password blank.<\/p>\n<\/li>\n
      • \n
        You don’t actually call the real_escape_string()<\/code> method, but I think magic_quotes_gpc<\/code> is set to true.<\/p>\n
        \n
        When magic_quotes are on, all ‘ (single-quote), ” (double quote), \\ (backslash) and NUL’s are escaped with a backslash automatically.<\/p>\n<\/blockquote>\n
        Runtime Configuration – magic_quotes_gpc<\/p>\n<\/li>\n
      • \n
        Have you tried with:<\/p>\n
        Login:  admin' or '1=1  \nPassword: admin' or '1=1\n<\/code><\/pre>\n
        Also check for magic quotes turned on<\/p>\n<\/li>\n<\/ol>\n
        Originally posted 2014-02-04 01:42:34. <\/small><\/p>","protected":false},"excerpt":{"rendered":"
        i was trying to check a web site for an sql injection attack and amazed to see it not very very simple to prevent because below is the simple code . $sql=”select * from user_acount where login_id='”.$username.”‘ and password='”.$password.”‘ and status=’1’ “; i can not do any sql injection to test it. i wrote the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2578","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/2578","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=2578"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/2578\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=2578"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=2578"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=2578"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}