SQL Injection in action with PHP and MySQL
Download as PPTX, PDF3 likes7,012 views
The document explains SQL injection, a malicious technique that exploits vulnerabilities in data-driven applications by inserting harmful SQL statements into input fields. It outlines the causes of SQL injection, such as improperly filtered escape characters and incorrect type handling, and provides examples of vulnerable code in HTML and PHP. Additionally, it offers solutions for mitigating these vulnerabilities through proper input sanitization techniques.
![SQL Injection Example
HTML File –
[index.html]
<form action="injection.php" method="POST">
<p>
Username: <input type="text" name="username" />
</p>
<p>
Password: <input type="password" name="password" />
</p>
<p>
<input type="submit" value="Log In" />
</p>
</form>](https://image.slidesharecdn.com/sqlinjection-170305061025/85/SQL-Injection-in-action-with-PHP-and-MySQL-4-320.jpg)
![SQL Injection Example
PHP File – [injection.php]
<?php
//connection to the database and select a DB to work with
$dbhandle = mysql_connect('localhost', 'root', '') or die('MySQL not connected');
mysql_select_db('php_security',$dbhandle) or die ( 'Could not select php_security' );
// execute the SQL query and return records
$username = $_POST["username"];
$password = $_POST["password"];
//uncomment these to fix SQL injection
//$username = mysql_real_escape_string( $_POST["username"] );
//$password = mysql_real_escape_string( $_POST["password"] );
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysql_query( $query , $dbhandle);
// fetch tha data from the database
$num = mysql_num_rows($result);
if ($num > 0) {
print 'got a matching user';
}
// close the connection
mysql_close ( $dbhandle );](https://image.slidesharecdn.com/sqlinjection-170305061025/85/SQL-Injection-in-action-with-PHP-and-MySQL-5-320.jpg)
![What’s wrong with the code
//execute the SQL query and return records
$username = $_POST[‘username’];
$password = $_POST[‘password’];
$query = "SELECT * FROM users WHERE username = $username AND
password=$password";
In the above example, if we take $password as
myuser' or 'foo' = 'foo
$query becomes =
SELECT *
FROM users
WHERE username = ‘prady’
AND password = 'myuser' or 'foo' = 'foo'](https://image.slidesharecdn.com/sqlinjection-170305061025/85/SQL-Injection-in-action-with-PHP-and-MySQL-6-320.jpg)
![Fixing the code
//execute the SQL query and return records
$username = mysql_real_escape_string( $_POST[‘username’] );
$password = mysql_real_escape_string( $_POST[‘password’] );
$query = "SELECT * FROM users WHERE username = $username
AND password=$password";](https://image.slidesharecdn.com/sqlinjection-170305061025/85/SQL-Injection-in-action-with-PHP-and-MySQL-7-320.jpg)
SQL Injection in action with PHP and MySQL
- 1. SQL INJECTION IN ACTION Pradeep Kumar
- 2. What is SQL Injection? • SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). • SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.
- 3. Causes of SQL Injection • Incorrectly filtered escape characters Attacker sends following input in a text field and developer doesn’t filters it for further computation. myuser' or 'foo' = 'foo' -- • Incorrect type handling or passing wrong data to DB Developer sends this unfiltered data to database. <?php $sql = "SELECT * FROM users WHERE username = 'myuser' or 'foo' = 'foo' -- AND password = 'a029d0df84eb5549c641e04a9ef389e5'"; ?>
- 4. SQL Injection Example HTML File – [index.html] <form action="injection.php" method="POST"> <p> Username: <input type="text" name="username" /> </p> <p> Password: <input type="password" name="password" /> </p> <p> <input type="submit" value="Log In" /> </p> </form>
- 5. SQL Injection Example PHP File – [injection.php] <?php //connection to the database and select a DB to work with $dbhandle = mysql_connect('localhost', 'root', '') or die('MySQL not connected'); mysql_select_db('php_security',$dbhandle) or die ( 'Could not select php_security' ); // execute the SQL query and return records $username = $_POST["username"]; $password = $_POST["password"]; //uncomment these to fix SQL injection //$username = mysql_real_escape_string( $_POST["username"] ); //$password = mysql_real_escape_string( $_POST["password"] ); $query = "SELECT * FROM users WHERE username='$username' AND password='$password'"; $result = mysql_query( $query , $dbhandle); // fetch tha data from the database $num = mysql_num_rows($result); if ($num > 0) { print 'got a matching user'; } // close the connection mysql_close ( $dbhandle );
- 6. What’s wrong with the code //execute the SQL query and return records $username = $_POST[‘username’]; $password = $_POST[‘password’]; $query = "SELECT * FROM users WHERE username = $username AND password=$password"; In the above example, if we take $password as myuser' or 'foo' = 'foo $query becomes = SELECT * FROM users WHERE username = ‘prady’ AND password = 'myuser' or 'foo' = 'foo'
- 7. Fixing the code //execute the SQL query and return records $username = mysql_real_escape_string( $_POST[‘username’] ); $password = mysql_real_escape_string( $_POST[‘password’] ); $query = "SELECT * FROM users WHERE username = $username AND password=$password";
- 8. Complete code A copy of complete code is available here https://github.com/prady00/php-security-essentials
- 9. Need help? Please connect via email [email protected]
- 10. Thankyou