I created a simple site in my own web server to test for SQL injection tactic. The site contains only two pages, written in PHP. They are the following:
<form action='login.php' method='POST'>
Username: <input type='text' name='username'/><br/>
Password: <input type='password' name='password'/><br/>
<input type='submit' value='Login'/>
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT id FROM users WHERE username='$username' AND password='$password'";
if (!mysql_connect("localhost", "test", "")) die(mysql_error());
if (!mysql_select_db("test")) die(mysql_error());
$res = mysql_query($query);
if (!$res) die(mysql_error());
$row = mysql_fetch_assoc($res);
if (!$row) die("Invalid login.");
$userid = $row['id'];
Login succesful. User id is <?=$userid?>.
Lets consider if the hacker enters "admin' #" as the user name. Then the resulting SQL query would look like this:
SELECT id FROM users WHERE username='admin' #'AND password=''
This would bypass the password altogether.
But, however, it does not work. I am getting the following as the resulting SQL query:
SELECT id FROM users WHERE username='admin\' #' AND password=''
So it seems that my server automatically escapes the text when ' is entered. Does this mean that in the latest Linux/Apache2/PHP/MySQL setup SQL injection is rendered impossible or do I misunderstand something? I have PHP version 5.2.4 with Apache 2.2.8.
Edited by on 14-05-08 22:52
Location: He is back and he's bad!
Rank: Mad User
|nope it's just like that, now apache has default option of escaping ' or " whenever you post something on the server|
btw had same problem, when I was testing XSS on my server
ok look below this post, more usefull but what is the point of testing exploit, which is excluded in default installation of the server, challenge would be to bypass it
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl
Edited by clone4 on 13-05-08 16:04
|You have magic_quotes_gpc set to 1. Try setting this to 0 and try again.|
|Thank you for your kind replies.|