how sql injection is possible ?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Recently i came to know about sql injection .Its nothing but giving
sql query as user input in html form tag which will make the php
interpreter at the server side to execute that .But this thing is not
possible right because whatever input we enter at the html tag will be
taken as text that is within "" . suppose if i enter "drop table
users" in html registration form . i stored as such in database like
"drop table users".How php interpreter will execute this as a query ?

Re: how sql injection is possible ?

Quoted text here. Click to load it

Re: how sql injection is possible ?

Suppose you have a badly designed login script:

$username = POST['username'];
$password = POST['password'];

$sql = "SELECT * FROM users
        WHERE username = '' AND
              password = ''";

...executing query code ...

if (count($results) > 0)
    // successful login attempt

If someone were to attempt to login using the username:

username' OR 1 = 1 --

This would make the SQL statement now:

WHERE username = 'username' OR 1 = 1 --' AND
password = 'd45fg9tf5g7687h9gh79jb'

Since 1 is always equal to 1 and " - " begins an sql comment
everything after the " - " is ignored and the user is logged in.

You can prevent these types of attacks by properly escaping user input
using the *_escape_string() functions or better yet, use prepared
statements in PDO.

Re: how sql injection is possible ?

generally, you shouldn't trust any form data - not even hidden
elements. the function I'm currently using is something like:

sanitize( & $input, $type = "string" )
    set_type( $input, $type );
    if( is_string( $input ) )
        $input = mysql_real_escape_string( htmlspecialchars( $input ) );
    return $input;

I'm not sure if this covers eveything (new to php), so correct me if I
left anything out. =)

Re: how sql injection is possible ?

Quoted text here. Click to load it
New to posting on usenet too I guess?

You responded to macca's post, thus offering him advice, instead of
the OP.

Site Timeline