2

I was wondering while testing my website that is there any way that the user can fetch data from my database by making some further modification in the following query

SELECT * FROM users WHERE login='admin' AND password='1' OR '1'='1';

provided that he knew admin username and used '1'='1' for password to hack into it.

What else can he add to echo the password on screen or find table details?

I want to do this to understand the limits the unprotected SQL can harm us for my presentation on SQL injection

Naveen
  • 7,944
  • 12
  • 78
  • 165
  • Thats what SQL injection attack is, you need not know the password to inject query into the sql query used. – tuxnani Jul 20 '13 at 15:03
  • Is that the actual code in your application? Because it doesn't seem to have an input for the actual password. Where would `='1' OR '1'='1'` come from? – IMSoP Jul 20 '13 at 15:08
  • 1
    See also http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php – IMSoP Jul 20 '13 at 15:10
  • Don't you mean that the `' OR '1'='1';` part is the hack itself - something that attacker put into password field of your form. Then it make sense – Jarek.D Jul 20 '13 at 15:11
  • I am aware of sql prevention techniques but i wanted to know some possible way to move to the page www.abc.com/admin/index.php which shows content only when a particular session variable is created ,by bypassing login page. – Naveen Jul 20 '13 at 15:26
  • Also password should be hashed BEFORE it is passed to a query, so the only vulnerable part would be the username. And don't forget about comments `-- --` to kill the end of the query. – 19greg96 Jan 26 '14 at 23:15

5 Answers5

3

Assuming that : 

 ' OR '1'='1';

is a hack then possibilites might be endless if input is not sanitized eg:

' OR '1'='1'; drop table users;

ect.

Jarek.D
  • 1,274
  • 1
  • 8
  • 18
1

form injection into username and password boxes should be as follows.. z' OR 'x'= 'x..... but attackers can use an url injection technique to fetch info from your website

Robson Makurira
  • 11
  • 2
0

This sql query:-

SELECT * FROM users WHERE login='admin' AND password='1' OR '1'='1';

evaluates to SELECT * FROM users WHERE login='admin' AND TRUE

so it will select rows where login column value is admin. It can be used to bypass the login. It has a serious SQL injection vulnerability.

Its better to use Prepared Statement. The problem with SQL injection is, that a user input is used as part of the SQL statement. By using prepared statements you can force the user input to be handled as the content of a parameter (and not as a part of the SQL command).

Vivek Sadh
  • 4,230
  • 3
  • 32
  • 49
0

One of the best way to keep yourself safe from SQL injection is to use PreparedStatement instead of Statement.

Mukesh S
  • 2,856
  • 17
  • 23
0

If you salt and hash the password (instead of storing it directly in the table), then the user cannot inject SQL via the password.

If you table looks like so:

TABLE users:
+-------+-----------+---------------------------+---------------...
| login |   salt    |         password          | other columns ...
+-------+-----------+---------------------------+---------------...
| foo42 | 231732156 | d4154b1134b511a5461efe423 |               ...
| bob69 | 765219179 | bba3ef876fe78ebacdccd87ff |               ...
+-------+-----------+---------------------------+---------------...

Then you can store the "password" the first time a user creates their account by generating a one-time random salt, appending it to the end of the user-submitted password, and hashing it. Now, whenever the user tries to log in, you just recompute the hash and check it against the stored password. This way, they can use a password like ' or '1' == '1 if they want, but your server will only use the hash (which may look like bba3ef876fe78ebacdccd87ff, for example)

touch my body
  • 1,634
  • 22
  • 36