Reply to Re: sql injection?

Your name:

Reply:


Posted by Andy Hassall on 12/21/05 16:21

On 21 Dec 2005 01:03:30 -0800, "pantagruel" <rasmussen.bryan@gmail.com> wrote:

>Hi, I'm worried that one of our online applications is exposed to a
>possible SQL injection attack. I don't have the code for the
>application as it is developed by a third party but the request:
>
>my.php?x='1+1'

OK, bear in mind that "+" in URLs means a space.

>returns the error
>
>Database error: Invalid SQL: SELECT x_id, x_type FROM object WHERE
>x_serial = ''1 1''
>MySQL Error: 1064 (You have an error in your SQL syntax. Check the
>manual that corresponds to your MySQL server version for the right
>syntax to use near '1 1''' at line 1)
>Session halted.

You can see that the value has gone directly into the SQL statement,
surrounded by single quotes. The "+" was replaced by a space because of the way
spaces in URLs are encoded.

>Now looking at that it seems not to be open to an SQL injection because
>the x querystring parameter was cleansed before being passed to
>x_serial, at least that is my interpretation.

My interpretation is that no cleansing has taken place at all.

>does this seem reasonable? Other than that I am of course somewhat
>annoyed at the application spitting out sql code in its error report.
>
>Is there anything I should try to pass as a parameter that will tell me
>for sure if it is allowing SQL injection. The database, which I found
>out from another error code on another page, is MySql.

Something like:

my.php?x='+or+'x'%3d'x

That should produce the query:

SELECT x_id, x_type FROM object WHERE x_serial = '' or 'x'='x'

Which instead of fetching row(s) matching the value of x_serial passed,
instead will return all data.

--
Andy Hassall :: andy@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация