SQL Protection of injecting in PHP applications

Dec 12, 2008 Author: Spiderman

In these days all of us or very little affected by the development of information technology. Shopping, banking operations, even social contact ... Even if you do not want our personal data is kept in electronic form in a variety of databases of public institutions, banks, sites for electronic payments and others. In this sense, the protection of such data from malicious acquisition and use in Bulgaria is governed by law (Law on privacy. Promulgated in SG. 1 of 4.01.2002 d), but there is a question for the technical side of reliability information systems.

This lesson will examine one of the most "popular" means of unauthorized access to data and how to prevent it. Question on the entry and execution of SQL code in database fields in the entry forms (html format). Or so-called SQL injection.

 

What is SQL injection?

Most easily this can be explained by a small example. Let me razigraem a scenario: John is a freelance programmer employed by the bank to develop a system for electronic payments with credit cards. As part of the system, John, the following table in the database (the example is MySQL):

CREATE TABLE `users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(200) NOT NULL,
`password` varchar(200) NOT NULL,
`creditcard` varchar(200) NOT NULL,
PRIMARY KEY  (`id`)
)
;

This project manager should have noticed an irregularity - passwords should never be kept in blazing form! Usually they are recorded one encrypted (such as MD5 hash). Anyway, this is another topic. Continues to login form system:

<?php
if(empty($_GET['username'])) {
   
echo "<form method='GET' action='login.php'>"
      .
"Username: <input type='text' name='username' /><br />"
      .
"Password: <input type='text' name='password' /><br />"
      .
"<input type='submit' value='Login' />"
      .
"</form>";
}

if(get_magic_quotes_gpc()) {
   
$username = stripslashes($_GET['username']);
   
$password = stripslashes($_GET['password']);
}

$link = mysql_connect($dbhost, $dbuser, $dbpass)
   
or die('Could not connect: ' . mysql_error());

mysql_select_db($mysqldb, $link)
   
or die('Could not select database.');

$query = mysql_query("SELECT * FROM `users` "
      .
"WHERE `username` = '$username' "
      .
"AND `password` = '$password'")
 
or die('Could not select database.');

$row = mysql_fetch_assoc($query);

if(mysql_num_rows($query) >= 1) {
 
echo "Hello {$row['username']}!<br />";
 
echo "Your credit card number is: {$row['creditcard']}.";
}
?>

So John has fulfilled the requirement of project manager: a user types a name and password, and if they are correct sees the message:

Hello [name-of-user]!
Your credit card number is: [number-of-card].

http://.../login.php?username=anything&password=anything'%20OR%201='1

I see the following:

Hello Sidewinder!
Your creditcard number is: 0,123,456,789,987,654.
How does this work? - i
Anything 'or 1 ='1

change SQL query like:

SELECT * FROM `users`
WHERE `username` = 'anything'
AND `password` = 'anything'
OR 1 ='1 '

Be seen that the condition in WHERE will always be fulfilled for all rows. Logic of the script output limited to the first row of the table but themselves know that by adding a little programming can fetch the entire table. To not becoming involved in the class of hackers, will stop here.


views 4842
  1. Add New Comment