Saturday, January 21, 2012

Example of a SQL Injection Attack.

The easiest way for the login.php to work is by building a database query that looks like this:

FROM logins
WHERE username = '$username'
AND password = '$password’

If the variables $username and $password are requested directly from the user's input, this can easily be compromised. Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x

FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'

As the inputs of the web application are not properly sanitised, the use of the single quotes has turned the WHERE SQL command into a two-component clause.

The 'x'='x' part guarantees to be true regardless of what the first part contains.

This will allow the attacker to bypass the login form without actually knowing a valid username / password combination!

To stop this kind of attack, you MUST use some inbuilt PHP functions. The one to use for this kind of attack is:
mysql_real_escape_string( );

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

No comments:

Post a Comment

rathoddhirendra.blogspot.com-Google pagerank and Worth