I'm trying to learn SQL injections so I can protect myself in the future.
Here is the PHP code:
$req = mysql_query("INSERT INTO ip_change VALUES('', '".$_SESSION['id']."', '".$_POST['raison']."')") or die(mysql_error());
And the user has full control over $_POST['raison'] content.
When i use 'hello as $_POST['raison'] value I get
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'hello')' at line 1
When i use '); DELETE * FROM tabledetest;") or die(mysql_error());-- as $_POST['raison'] value I get
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'DELETE * FROM tabledetest;") or die(mysql_error());--')' at line
1
So I don't understand why my request isn't injected and I can't delete my tabledetest table.
Any help would be appreciated.
It is because you didn't do proper injection!
Here is the one you have done. The auto-format will hint you:
<?php
$_SESSION['id'] = "123"; //Just assume
$req = mysql_query("INSERT INTO ip_change VALUES('', '123', ''hello')") or die(mysql_error());
It didn't properly end the statement.
For the next one:
$req = mysql_query("INSERT INTO ip_change VALUES('', '123', ''); DELETE * FROM tabledetest;") or die(mysql_error());--')") or die(mysql_error());
From the manual:
mysql_query() sends a unique query (multiple queries are not
supported) to the currently active database on the server that's
associated with the specified link_identifier.
mysqli has support for multiple statements.
-- can't comment PHP code! PHP comment is // or #
Some of the links that might help you: [Similar to your question]
https://en.wikibooks.org/wiki/PHP_Programming/SQL_Injection_Attacks
http://roshanbh.com.np/2007/12/sql-injection-attack-examples-and-preventions-in-php.html
SQL injection test - mysql_query
To protect from SQL injection you should not inject the variables directly to query use Prepared Statements instead.
Related
I'm a new user of this website.
I'm trying to execute this simple query:
$id_book=$_REQUEST['id_book'];
$date=date("Y/m/d");
$sql="INSERT INTO books(id_book,date) VALUES($id_book,'$date')";
if(!$mysqli->query($sql)){
die($mysqli->error.". ".$mysqli->errno);
};
but got this error message:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ''2019/02/27')' at line 1. 1064
What am I doing wrong? Can someone help me please?
First, DO NOT inject that $_REQUEST['id_book'] variable into your SQL, see How can I prevent SQL injection in PHP? and use a prepared statement.
You need to use the correct DATE format for MySQL:
$date = date("Y-m-d");
Also date is a reserved word in MySQL, so choose something else for the column name or use backticks:
// placeholders for prepared statement ?
$sql = "INSERT INTO books(id_book, `date`) VALUES(?, ?)";
Try converting proprly the date string in date
$sql="INSERT INTO books(id_book,date) VALUES($id_book,str_to_date('$date', '%Y/%m/%d')";
anyway you should not use php var in sql .. you are at risk for sqlinjection .. for avoid this take a look at you msysql driver for prepared statement and binding param
I am trying to insert a ' symbol into my database and have the below code.
$actionurl =$_POST['actionurl'];
$newtitle = $_POST['newtitle'];
$newtitle = mysql_real_escape_string($newtitle);
$result2 = mysql_query("UPDATE links SET title='$newtitle' WHERE url='$actionurl'")
or die(mysql_error());
And I get this error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's to start up a sample library (forum thread)'' at line 1
Why am I getting an error if I'm using mysql_real_escape_string on the $newtitle variable?
I suspect that it's actionurl that is causing the error, not $newtitle.
To debug this, echo or print the SQL statement to be executed.
You can do something like this:
$sql = "UPDATE links SET title='$newtitle' WHERE url='$actionurl'";
// for debugging, output contents of the $sql string
echo "SQL=" . $sql ;
mysql_query($sql) or die(mysql_error();
As others have already suggested, the mysql_ interface is deprecated. New development should use either mysqli or PDO. And use prepared statements with bind placeholders. It just seems nonsensical to be struggling with mysql_real_escape_string in 2016.
Are magic quotes on in your php.ini? If yes, disabling it should solve your issue. (It could be enabled by default)
I'm trying to insert some values into the database using information posted on a form through php
following is the code that i'm using for insertion
$query=mysql_query("select * from poll_question where question = '$question'") or die(mysql_error());
$numrows=mysql_num_rows($query);
if($numrows)
{
while($row=mysql_fetch_assoc($query))
{
$dbid=$row['id'];
}
}
$sql1 = "INSERT INTO poll_option(option , poll_id ,click)
VALUES('$_POST[optionone]',
'$dbid' , 0)";
$result1 = mysql_query($sql1);
echo "1 record added";
echo mysql_error();
$sql2 = "INSERT INTO poll_option(option , poll_id , click)
VALUES('$_POST[optiontwo])',
'$dbid', 0)";
$result2 = mysql_query($sql2);
echo mysql_error();
$sql3 = "INSERT INTO poll_option(option , poll_id, click)
VALUES('$_POST[optionthree])',
'$dbid ', 0)";
$result3 = mysql_query($sql3);
echo mysql_error();
now i'm getting the following output
You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near 'option , poll_id ,click) VALUES('sj', '24' , 0)' at line 1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'option , poll_id , click) VALUES('dsdg', '24', 0)' at line 1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'option , poll_id, click) VALUES('xzf', '24 ', 0)' at line 1
The part under the "values" syntax is the one that i'm trying to insert. that information is correct.that is VALUES('xzf', '24 ', 0) is Correct and i want to insert this only , but their is some problem with the syntax.Any suggestions?
What echo_me said.
Additionally, in $sql2 and $sql3 you are closing the VALUES (...) parenthesis too soon:
VALUES('$_POST[optiontwo])',
^ remove this
Your $sql1 is correct.
OPTION is reserved keyword for mysql
try use backticks around it in all your queries
like that:
`option`
look reserved keywords here
In addition to what echo_me stated in removing the parentheses incorrectly added to $sql2 and $sql3, you really should migrate over to mysqli (since mysql is deprecated) and at least use the real escape string option on your post variable before automatically inserting whatever is posted to the script into your database. A good example for your code is:
$post_option1 = mysql_real_escape_string($_POST['optionone']);
$post_option2 = mysql_real_escape_string($_POST['optiontwo']);
$sql1 = "INSERT INTO poll_option (`option`, `poll_id`, `click`) VALUES('$post_option1', '$dbid', 0)";
$sql2 = "INSERT INTO poll_option (`option`, `poll_id`, `click`) VALUES('$post_option2', '$dbid', 0)";
My opinion is it would make things simpler for you as well. The info on the real escape string can be found here:
http://php.net/manual/en/function.mysql-real-escape-string.php
It's against best practice to insert a POST or GET directly into your database without any form of mitigation against SQL injection.
Try to avoid using mysql functions, but rather learn to use PDO functions. They have a number of advantages over mysql functions, although im really sorry, i dont remember them right now, and i dont want to say anything that's not true.
Also, i dont think that the mysql functions can prevent SQL injection, which can let any user alter your Database however they want.
Most importantly though, is that they're deprecated in PHP 5.5
Sorry if i didn't solve your question, just thought to let you know. Good luck, maybe you can get it to work with the new functions.
Update: Sorry, didn't see the comments and posts about switching to mysqli and such.
hi i have the following statement
function count_rows($table_name, $condition = null, $debug = false)
{
$query_result = $this->query("SELECT count(*) AS count_rows FROM " . $this->db_prefix . $table_name . " " . $condition, $debug);
$count_rows = $this->sql_result($query_result, 0, 'count_rows');
return $count_rows;
}
i have been using sql inject me addon for firefox and it gives me the error
A Mysql error has occurred while running the script:
The query you are trying to run is invalid
Mysql Error Output: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '))' at line 2
SQL Query: SELECT count(*) AS count_rows FROM database_auctions a WHERE a.active=1 AND a.approved=1 AND a.deleted=0 AND a.list_in!='store' AND a.catfeat='1' AND a.closed=0 AND (a.category_id IN ())
how to sanitize this query against sql injection??
It looks like when you pass the $contidion you are forgetting something here a.category_id IN () between the parentesis should be values.
For avoid the SQL Injection check this
As you can see near this part of your query:
AND (a.category_id IN ())
You don't actually give it a subquery/list of values. You need to do so to determine if the result holds the category_id specified.
To help protect against sql injections, I suggest using the mysqli extension from PHP. I believe they support prepared statements. By using prepared statements, you are discarding the use of string concatenation, and the server "prepares" the sql statement, so the query is only sent to the server once, and then only parameters are sent when you actually execute the SQL query.
http://php.net/manual/en/class.mysqli-stmt.php
http://php.net/manual/en/mysqli-stmt.prepare.php
I'm working on an existing website trying to prevent SQL injections. Before $_GET['ID'] was unsanitized.
$ID=mysql_real_escape_string($_GET['ID']);
$sQuery=mysql_query("select * from tbl_mini_website as s1, tbl_actor_merchant as me where s1.MERCHANT_ID=$ID AND s1.MERCHANT_ID=me.MERCHANT_ID");
If I put a ' at the end of the url, with mysql_real_escape_string() I get this from mysql_error():
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\' AND s1.MERCHANT_ID=me.MERCHANT_ID' at line 1
with out mysql_real_escape_string() I get:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND s1.MERCHANT_ID=me.MERCHANT_ID' at line 1
I'm not sure whats up with it? Any help would be greatly appreciated.
If it is an id, numerical I assume, why don't you just cast it to an integer?
$ID = (int) $_GET['ID'];
The best advice I can give you is to check out PDO and use bound parameters.
mysql_real_escape_string escapes, but doesn't quote.
Try:
$sQuery=mysql_query("select * from tbl_mini_website as s1, tbl_actor_merchant as me where s1.MERCHANT_ID='$ID' AND s1.MERCHANT_ID=me.MERCHANT_ID");
More generally, I tend to wrap both of these in a function, like:
function quoteValue($value) {
return "'" . mysql_real_escape_string($value) . "'";
}
This is useful, because you may find down the line that you want more refined quoting behavior (especially when it comes to handling Unicode, control characters, etc.)
It's because you're not quoting the variable.
Here's your query given the following inputs
$_GET['ID'] = "1";
$ID=mysql_real_escape_string($_GET['ID']);
SELECT ... where s1.MERCHANT_ID=1 ...
$_GET['ID'] = "1'"
$ID=mysql_real_escape_string($_GET['ID']);
SELECT ... where s1.MERCHANT_ID=1\' ...
$_GET['ID'] = "1'"
SELECT ... where s1.MERCHANT_ID=1' ...
Phil Brown is right, but you shoul forget about old fashioned mysql_real_escape_string or mysql_connect() as they are very old and move to php`s PDO() where you cand use prepared statements, binds, fetch object any many many more functions.
I suggest read PDO documentation at http://php.net/manual/en/book.pdo.php if you want next generation dabatase manipulation and security from SQL Injection .