Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
http://www.pwntester.com/blog/2014/01/15/hackyou2014-web100-write-up/
At this link, They have injected by hex code like
0x39393939393939393939393920756e696f6e20616c6c202873656c656374202748656c6c6f21212729
meaning:
999999999999 union all (select 'Hello!!')
In mysql,we cannot type a query like
Mysql> 0x0abcd... (assume that 0x0abc.. mean select * from...).
So, Can you explain for me why can they inject as in my link?
p/s: Sorry about my poor English.
The SQL injection does not happen in the INSERT statement but in the second SELECT statement:
"SELECT title FROM picture WHERE id = ".$r['id']
Here $r['id'] is the recently inserted ID, i. e., the user supplied $_POST['id'] value.
Now the reason for why this SQL injection works is MySQL’s support for hexadecimal literals and the fact that the id column of the vote table is of a string type as in that case the following applies:
In string contexts, they act like binary strings, where each pair of hex digits is converted to a character:
mysql> SELECT X'4D7953514C';
-> 'MySQL'
mysql> SELECT 0x0a+0;
-> 10
mysql> SELECT 0x5061756c;
-> 'Paul'
For PHP 0x… is numeric (i. e., is_numeric) and for MySQL 0x… is interpreted and stored as string, which later gets inserted into the above mentioned SELECT statement.
This wouldn’t be possible if either
id would have been a numeric data type, or
the SELECT would have been a prepared statement.
This is already answered in the comments on that blog post. The hex string must be run through PHP, or some other system which incorrectly passes the value to MySQL as a string (instead of a number), in order for this "hack" to work.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I am able to navigation between a php page using ID but not using project name. Can you only use an number and not characters?
Works
$sql = "SELECT id, assigned, project, start, end, status
FROM projects
WHERE id=$id";
'.$row['project'].'
page url: https://example.com/project.php?id=1
Doesn't work
$sql = "SELECT id, assigned, project, start, end, status
FROM projects
WHERE project=$project";
'.$row['project'].'
page url: https://example.com/project.php?project=Test
Thanks for the help!
MySQL uses single or double quotes for strings. Your second query puts string to a query, resulting in invalid query.
This is not a valid SQL query:
SELECT `name` FROM `cats` WHERE `breed` = ordinary cat
But this is:
SELECT `name` FROM `cats` WHERE `breed` = 'ordinary cat'
Of note, be careful with using any input (including query string) in your query like you did. You should use prepared statement instead to safely escape that string for your query.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 years ago.
Improve this question
Let's say that I have a database with this data stored:
Email-Link-Link2
1E#231-Example1-Example2
1E#231-Example3-Example4
How can I select all of this value with a PDO query excluding those seen before, so in this case 1E#231,will select only one time.
If understand what you said, this is your answer:
Connexion to data base with PDO
<?php
//CONNEXION TO DATA BASE WITH PDO...
$pdo_options[PDO::ATTR_ERRMODE] = PDO::ERRMODE_EXCEPTION;
$base = new PDO('mysql:host=localhost;dbname=your_data_base', 'the_user', 'Your_password', $pdo_options);
//end of connexion to data_base
;?>
NOW getting data from data base with not duplication(you can use sql function DISTINCT
<?php
$sc=$base->query("SELECT DISTINCT Email FROM table_where_data_stored");
while($data_distinct =$sc->fetch()){
//your data will be displayed here
;}
;?>
May this help you!!
To evade double selection commonly one use the DISTINCT statement, like this:
SELECT DISTINCT *
FROM myTable
But the best way to evade double-selection is to evade redundant entries to the database. As far as I understand the two entries in your database the second one is an update, and you don't want to overwrite the previous entry. This is a well known problem, and commonly solved like this:
There is a certain date from when on the new eMail should be used, so add a field "valid_from" and add this WHERE statement to your query:
WHERE valid_from > GETDATE()
GETDATE() returns a datetime, therefore it's enough to select "greater than".
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
$SQL="SELECT first_name FROM people WHERE fname = '$fname' INSERT INTO (first_name) VALUES (fname)";
Anything wrong with this? Trying to insert a value from a user defined variable into a mysql table
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in D:\wamp\www\Pxxxx\process.php on line 44
This is the error
$fname is a user defined variable
first_name is the column I'm trying to insert it into and it's in a table called people
You have the order inverted. It seems like you are looking for INSERT .. SELECT syntax (see MySQL documentation here: http://dev.mysql.com/doc/refman/5.6/en/insert-select.html)
INSERT INTO target_table (first_name)
SELECT fname
FROM people
WHERE fname = ?
It was unclear from your example what the name of the table you were trying to insert data into is, so I just listed it as target_table here.
Your SQL statement has to be reordered like this:
"INSERT INTO people (fname) SELECT '$fname' FROM dual;"
This will select the value of $fname from the pseudo table "dual" and insert the value into "people".
Maybe this is more suitable:
"INSERT INTO people (fname) VALUES ('$fname');"
This snippet show you a simple insert statement.
Note: Please have a look for SQL Injection at Wikipedia. The code you are writing is open for these kinds of attacks. If you are writing PHP code, have a look for Prepared Statements and mysqli to prevent these attacks.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
Reg ex again.
Trying to run a like SQL query:
mysql_query("SELECT * From tablename WHERE somthing LIKE '%id|length:3:\"{$id}\"%'");
problem is the length value will be unknown, only the ID.
Of course, I could use strlen($id) and do this:
$len = intval(strlen($id));
mysql_query("SELECT * From tablename WHERE somthing LIKE '%id|length:{$len}:\"{$id}\"%'");
But I dont really care to check the len value, there's gotta be a bit of Reg ex to match anything where the length will be and sort this without having to calc the length before.
mysql_query("SELECT * From tablename WHERE somthing LIKE '%id|length:^*:\"{$id}\"%'");
ideas?
#Naddiseo's link is a good one, I recommend you use REGEXP. What do you mean by 'No exact example matching'?
Try something like (I added in the newlines for readability):
mysql_query("SELECT * From tablename
WHERE somthing
REGEXP '^.*id\\\|length:[0-9]+:\"{$id}\".*$'");
The relevant regex without worrying about escaping for MYSQL/php strings is
^.*id\|length:[0-9]+:"abc".*$
(assuming abc is a particular ${id}).
It says, "look for anything followed by the literal string id|length: (I've escaped it as | has a special meaning in regex and you want literal |), followed by numbers ([0-9]+) being the length of the id, followed by :"{$id}" and anything else (where {$id} has been substituted in).
Now, if you read the MySQL regexp page that #Naddiseo quoted, you'd see that any backslashes need to be further escaped as MySQL parses backslashes as special characters.
So, if you were to enter this query into a MySQL command line (let's assume {$id} is abc for now), you'd have to type:
SELECT * From tablename
WHERE somthing
REGEXP '^.*id\\|length:[0-9]+:"abc".*$'
Now, since you are calling this from PHP inside double quotes, you need to escape your backslashes again to make sure the right number get through to MySQL, as well as backslashing your double quotes to escape them. Hence the three backslashes in the mysql_query above before the |.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I am new to PHP and mysql and i am trying to make API's for my iphone app.
So far i have been able to connect and retrive data from my sql database now m trying to make entries to it using API's and parameters.
Can anyone help me out here please.
Thanks alot!!
If by to make entries you mean adding data to the database.
You do this in the same way that you select data.
Instead of issuing a select statement like:
SELECT x,y,z FROM table1
You do:
INSERT INTO table1 (x,y,z) VALUES ('a', 1, 'test')
Or:
UPDATE table1 SET x = 'b' WHERE x = 'a'
How you pass parameters depends on the API you use.
It is best (safest) to use PDO to pass parameters.
How to get parameters out of a url
In order to get the parameters out of the url (e.g.: example.com/test.php?username=xyz&password=!##$%) do:
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$query = "SELECT * FROM users WHERE username = '$username'
AND passhash = sha2(CONCAT(salt,'$password'),512)";
Note that it's vital to put single quotes around the injected variable names when using mysql_real_escape_string() or the escaping will be useless. Used like this the code is 100% secure from SQL-injection.
If you're using PDO, you can drop the mysql_real_escape_string() if not you need it to prevent SQL-injection.
Links
http://dev.mysql.com/doc/refman/5.5/en/update.html
http://dev.mysql.com/doc/refman/5.5/en/insert.html
http://php.net/manual/en/ref.pdo-mysql.php
https://stackoverflow.com/search?q=%5Bphp%5D+%5Bmysql%5D+pdo
http://php.net/manual/en/reserved.variables.get.php
http://php.net/manual/en/function.mysql-real-escape-string.php