digg

Facebook Connect Join Digg About

SQL Injection Walkthrough

securiteam.com An in-depth look at how SQL injection works, and how to protect your site from these types of attacks.

Who dugg this? Made popular Sep 23, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

28 Comments

show profanity settings
expand all
  • JamesWilson, on 10/12/2007, -0/+14I really hate the misuse of magic quotes. I hate when I'm forced to see (backslash)' and (backslash)" in titles and content when really the backslashes shouldn't be there.

    I know the purpose, but the webmasters should really handle it better.

    Edit:
    Digg just dropped my real backslashes, so I had to put in placeholder text, emphaisizing my point even more of websites mangling user input.
  • hackwrench, on 10/12/2007, -2/+7I've been wondering why a lot of people think that using a system where data is escapable back into commands is a good thing.
  • waterandfood, on 10/12/2007, -0/+4Note that PHP 6 (will be out in 9 +-3 months) no longer has magic quotes. Regardless, instead learn how to validate all data. A nice option is the filter extension (php.net/filter) and of course use an escaping function for your database, like mysql_real_escape_string(). And type casting like $id = (int) $_GET['id']; Trust nothing.
  • Urusai, on 10/12/2007, -3/+7Um, use SQL parameters instead of assembling command text like a simpleton? PHP and other toy environments might not support such incredibly complicated technology.
  • latova, on 10/12/2007, -1/+4Well, they just have to use stripslashes() to get rid of it.
  • hangtown, on 10/12/2007, -0/+3It's true, dynamically building queries with querystring inputs or form input is pretty much passe. Create a command object, use parameters, and validate everything. In asp.net this is not difficult. Php is more like the original asp (scripted, non-object oriented) and is pretty archaic in terms of the technology involved. But even with php there must be some way to not create inline sql queries. That's just bad practice.
  • latova, on 10/12/2007, -1/+3This is a common attack for mysql-php websites. If you are inexperienced and don't get how to defend yourself, put magic_quotes on (ask your host or google it). It will add the security for you with all data inputs.
  • flibuste, on 10/12/2007, -0/+2Do you allow me to add "layered design" to your one-word list?
  • darkfate, on 10/12/2007, -0/+2I just use db abstraction and mysql_real_escape_string usually to stop from mysql injection. What are you talking about PHP being not OOP? 5.2 has lot's of capabilities and I already use some of them. It's easier to not use OOP, but the portability is increased.

    I validate every $_GET with everything I got. I tend to avoid that and use santized post vars though. I don't use direct queries as they are built with the arguments from the functions.
  • mikeroySoft, on 10/19/2009, -0/+1Layered design is just as flawed without validation and permission handling (which gets made use of after validation)

    Tho i do completely agree that using a layered, OO design to build apps is the way to go, in my experience it's been more for useability and re-usability than security.
  • mikeroySoft, on 10/19/2009, -1/+2one word: Validation
  • azidrane, on 10/12/2007, -0/+1Compile maybe?
  • e2superman, on 10/12/2007, -0/+1Digg actually has a few unchecked forms that you could gather data from that you shouldn't be able to. I wont say which but there are two I know of so far.
  • tobyjoe, on 10/12/2007, -0/+1"I validate every $_GET with everything I got. I tend to avoid that and use santized post vars though."

    Sanitized POST vars? Anything in $_POST is inherently as insecure as anything in $_GET.
  • kyriakos, on 10/12/2007, -0/+1thanks
    that article looks interesting.
  • RustIndy, on 10/12/2007, -0/+1It's not very difficult in "classic" ASP either, hangtown. Create a database object, assign a command object to it, and then you can start adding parameters (the syntax is freaky-odd at times, but still pretty powerful). Then execute the command (be it a stored procedure or SQL statement), and delete your parameters, close the comman object and terminate the database object. As I understand PHP, the procedure is pretty much the same, and even easier if you use the PearDB abstraction layer object.

    PHP 5 is very object oriented, complete with overloading and polymorphism (to my knowledge - it's not my primary language). Even "classic" ASP has enough OOP functionality for most purposes, although it's not really an OOP language. PHP can also be compiled.
  • RustIndy, on 10/12/2007, -0/+1The subject of the story is only half-accurate - the article does take a fairly detailed look at how to perform and analyze SQL injection attacks, but there is no useful information on how to prevent them. Not dugg because the article just wasn't that useful to me.
  • Dotnetsky, on 10/12/2007, -0/+1This reminds me of a big erm, "discussion" i had with my site partner who loved to do ADO.NET Sql queries that basically looked like "EXEC spNAME param1 param2" with CommandType.Text. Aaargh!

    Finally after about a week of my literally going nutso on him, he finally got the message.
    I wrote a whole blog piece on it including the Powerpoint from Gert Drapers (the Sql Server MS guru who wrote the code) 1994 Tech-Ed presentation.
  • inactive, on 10/12/2007, -0/+1Is this like the injection Floyd Landis got ???
  • Hypoviax, on 10/12/2007, -0/+1The article is interesting, however it is quite old.
    This is a good article on a widerange of weaknesses in web-apps and is relatively recent (July 06):

    http://milw0rm.com/papers/14
  • sirsteveh, on 10/12/2007, -1/+1In PHP, mysqli supports this. So does PDO.

    In mysqli:



    That may or may not be all that accurate, but that's what it looks like (it's been a while since I had both PHP 5 and MySQL 5 available to me).
  • cwncool, on 10/12/2007, -1/+1does anyone know of any sites to test injections on?
  • RidinDirty, on 10/12/2007, -0/+0Exactly. I see these articles all the time and all I can say is if this stuff is enlightening to you in any way then you have no business writing dynamic web apps that handle any important data.
  • bradleyland, on 10/12/2007, -0/+0When I started with PHP, I came from *gasp* ASP. I was used to using MS SQL server using stored procedures with my ASP (parameters never passed as text). I was amazed at the number of PHP program examples I read or downloaded using stuff like "SELECT * FROM users WHERE username = '$username' and password = '$password';".

    My question is, why did anyone working with PHP ever think this method of programming was a good idea, and why has it taken so long to get decent parameterized query support? Even if you validate your input, the parameter information should NEVER be trusted and evaluated, as is possible when constructing a SQL statement in the fashion used above. Even if you think you've covered every possible base, you haven't.
  • hackwrench, on 10/12/2007, -2/+1More information please.
  • Ghozt64, on 10/12/2007, -3/+2http://phpnuke.org
  • revokin, on 10/12/2007, -4/+126 May 2002
  • Louis11, on 10/12/2007, -6/+1This is an old article...

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.