0

i was trying to check a web site for an sql injection attack and amazed to see it not very very simple to prevent because below is the simple code . 

$sql="select * from user_acount where login_id='".$username."' and password='".$password."' and status='1' ";

i can not do any sql injection to test it. i wrote the following

1st Attempt to check sql injection

Login:  admin'--
Password:'i typed nothing here '

Result Wrong password you cannot login.

2nd: 

Login:  admin or 1=1 --' 
Password:''

Result Wrong password you cannot login.

3rd: 

Login:  admin' or 1=1 
Password:''

4th: Login: admin or 1=1'-- Password:''

Result Wrong password you cannot login.

Can anyone please explain what is stopping me ? i am not using prepared statements nor i am using any filter class neither i have real_escape_string ?

Improve this question
4
  • I can't imagine how many websites magic quote have saved the life Commented Jun 15, 2011 at 9:20
  • Do you compare posted password with password from DB in PHP? I.e., do you have something like if ( $password != $row['password'] ) { showError('Wrong password you cannot login'); }? Commented Jun 15, 2011 at 9:22
  • so this is 100% sql injection safe code because magic_qoute is enabled cool and easy method to protect sql injection. ins't Commented Jun 15, 2011 at 9:33
  • 1
    No, it is not cool. Not 100% portable, deprecated, soon to be gone, unsafe in some cases. Prepared statements - that is cool and easy-to-use protection. Commented Jun 15, 2011 at 9:54

5 Answers 5

Reset to default
5
  • Magic Quotes might be turned on (so user input is automatically processed to be better suited for composing database queries).
  • Register Globals might be turned off (so you would have to use $_REQUEST['username'] or related instead of $username).
  • There might be a bug in your programm, that prevents the input admin'-- from being stored in $username (e. g. form element names do not match variable names).
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

Two possibilities:

  1. There is no login_id with admin, therefore the query looks like:

    select * from user_acount where login_id='admin'

  2. magic_quotes have been enabled, resulting in queries like:

    select * from user_acount where login_id='admin\'--' and password='' and status='1'
select * from user_acount where login_id='admin or 1=1 --\'' and password='' and status='1'

    The last query will always fail, even if magic quotes was turned off:

    select * from user_acount where login_id='admin or 1=1 --'' and password='' and status='1'

    Because -- comments within strings do not work, the query is interpreted like:

    select * from user_acount where login_id='STRING'' and password='' and status='1'

    As you can see, this will result in a syntax error after 'STRING'

Improve this answer

2 Comments

thanks this is great so does it mean 100% sql injection safe?
As long as there are no special character sets are involved, yes. But do not rely on it, it's deprecated in PHP 5.3 and might be removed in the future. You'd better use prepared statement or escape data using functions like mysql_real_escape_string.
1

You are entering a password which includes quotes. This breaks your SQL query, and presumably the code does not distinguish between an error and a legitimate "no such user" result, so you get the wrong password message.

Try leaving the password blank.

Improve this answer

Comments

1

You don't actually call the real_escape_string() method, but I think magic_quotes_gpc is set to true.

When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.

Runtime Configuration - magic_quotes_gpc

Improve this answer

Comments

1

Have you tried with:

Login:  admin' or '1=1  
Password: admin' or '1=1

Also check for magic quotes turned on

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.