SQL Injection Scenario

Recently in Community, I asked simple question which is Below :- https://www.facebook.com/groups/2204685680/permalink/10154757491040681/

Running latest stable version of MySQL

And surprisingly many of them failed in answering. I will point out valid answer here.

Point a). 

It is absolutely vulnerable to SQL Injection and not only vulnerable but also Invalid Statement. Ignoring "Invalid" part and focusing on Injection. We cannot allow users input data to run without escaping it.   I am not going to describe , Why ? How and Where for this, I would point you to Read Wonderful Article here :- https://www.owasp.org/index.php/SQL_Injection  

Point b).

In point b, after reading OWASP SQL Injection cheat sheet, you can very much argue, you are adding slashes for quote, that is pretty much safe, unfortunately, the Answer is NOooooooo. Why ? see Below :-

If your mysql character set is "GBK" , than you are still vulnerable to SQL Injection . All I need to do is inject something like0xbf27, andaddslashes()modifies this to become0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That's because 0xbf5cis interpreted as a single character, not two.  (Read more about it here)

But, What is , You are using "utf8" as mentioned in above image,  You are so far SAFE from quote injection. But not from open space input  or Limit less Boundary. 

What is Open Space Input or Limit Less Boundary , That you will learn in Point c).

Point c).

With mysql charset set to utf8 you are so far safe from all multibyte sequence , but if you closely look into point c, I am not bouding the input or restricting the input . That is , I can very well run command like :-

Remember mysql_real_escape_string only escapes   below character :-

\x00, \n, \r, \, ', ", \x1a.

Thus, any thing like "and" , "or" statement are valid and it can be run :-

$mysqli->query("Select * from users where `username` = 1 or 1=1 ");

$mysqli->query("Select * from users where `username` = 1 or 1=2 ");

$mysqli->query("Select * from users where `username` = 1 ; show tables ");

So, you see, it is very important to limit the boudary of user Input.

Point d)

It is safe from all sql injection point and you can 100% use it in your product environment.

Conclusion :-

Under given circumstances :-

Point a). Vulnerable to SQL Injection

Point b). Vulnerable to SQL Injection as it is not bouded 

Point c). Vulnerable to SQL Injection as it is not bounded

Point d). Safe from SQL Injection

Important Note: Point b and Point c would have been safe from SQL Injection if they were bounded with single quote or double quote on character set with utf8

Also for All Good Reason Check out PDO :- http://pdo.w3clan.com This should be your first prirority.

Loading ...

Related Results :

  1. SQL Injection Scenario
Note :
  • Related Posts are generally User Blog posts.
  • or Other tutorials from other networks of w3clan.com.
  • Any registered user can create related posts based on search term tags.

About the Author