SQL injection help

Jong

I'm writing on a little assignment which among other things includes how to prevent SQL injection attacks, and for that purpose I have an example on how NOT to do. The only "small" problem is, I can't get my example to work.

SELECT user FROM usernames WHERE user='".$_POST['user']."' AND pass='".$_POST['pass']."'

I've read it should be possible to inject the above code with ' OR '1=1, so the result would be

WHERE user='' OR '1=1'

but I can't get it to work. It isn't cool having an example you can't (or I can't) inject, so help much appreciated 😉

drawmack

disregard

drawmack

$sql = "SELECT user FROM usernames WHERE user='" . $_POST['user'] . "' AND pass='" . $_POST['pass'] . "'

let's analyse this:

$_POST['user'] = ' or 1=1

then your final sql statement is this

SELECT user FROM usernames WHERE user='' or 1=1 AND pass=''

that's probably not going to work as you would need a record with a blank password. The type of injection that may work in this scenario is this
user = ''
pass = '; "SELECT user FROM usernames WHERE <admin>"

of course the <admin> is pseudocode for how ever you mark admins in your database.

Jong

Hmm that's going to be tricky to explain in my little assignment how to get hold on the table name, usernames.

By the way ' OR 1=1 I got from this article. The --- someone told me in another forum it wasn't a syntax for MySQL.

Anyway thanks so far for your help 🙂

Jong

I have actual solved the problem with ' OR 1=1. I missed something in the end instead of the three ---. I don't know if I should or am allowed to post the solution related to my little example?