-3

Definitely, SQL injection is the most serious security issue for web applications, but I think, many blogs and tutorials are misleading by exaggerating the unrealistic examples (or maybe I'm wrong). The common example is when entering value of

; DELETE FROM ...

This is merely theory based on the basics of SQL. When in real world using PHP for example, mysql_query() or mysqli->query() will only execute the first SQL query. Adding anything after ; will result in syntax error.

Is it possible to make a WRITE action by SQL injection on a SELECT query in PHP?

UPDATE: My point is to clarify if it is possible to make a second query in PHP. Not discussing the necessity of preventing SQL injection or how to do this. The ultimate solution is obviously prepared statements.

Googlebot
  • 15,159
  • 44
  • 133
  • 229
  • 4
    The obligatory http://xkcd.com/327/ – biziclop Apr 08 '12 at 07:33
  • In a worst case scenario you could use mysql's `SELECT … INTO OUTFILE` command and write arbitrary files on the server. And then you're pretty much screwed. Besides, _writing_ is not the only security issue, _reading_ is at least as bad. Imagine attackers can get hold of private information/passwords/email addresses/etc. – knittl Apr 08 '12 at 07:36
  • @Dr.biziclop The ultimate solution for preventing SQL injection to prepare statements. However, my question is not how to prevent. – Googlebot Apr 08 '12 at 07:38
  • Hi, this question would fit well at IT Security stackexchange. I've flagged it for migration. –  Apr 08 '12 at 07:40
  • With the right tools, I can shoot down a rocket. Exaggerated? Not. When it comes to hackers, they are always striving to be one step ahead. – Gabriel Santos Apr 08 '12 at 07:51
  • Prepared statements are definitely not the ultimate protection. Anyway, I see no point in the question at all. I see no practical reason for asking it. – Your Common Sense Apr 08 '12 at 07:54
  • @YourCommonSense Then what is the best way to prevent SQL statement, if prepared statement is not? – Googlebot Apr 08 '12 at 07:58
  • use prepared statement for the data and whitelisting for the other query parts. – Your Common Sense Apr 08 '12 at 08:02
  • @YourCommonSense you're a great programmer but with bad memory: "there is no need to parametrization" is a grave delusion. Parameterized queries can do any good only if used explicitly, throughout whole site, with no exceptions. One exception can spoil all the defense. Reference: http://stackoverflow.com/a/9681303/943340 – Googlebot Apr 08 '12 at 08:05
  • Your latter correction to the title made it sensible at the very least. "Are common examples of SQL injection misguided?" is a good question and the answer is yes. Unfortunately, it was too late. Anyway, it's not that important question. A bad example doesn't mean that the problem doesn't exist. As for the quotation you cited, it is missed it's goal my a mile. Read my other comment again. And try to understand it. – Your Common Sense Apr 08 '12 at 08:18
  • 1
    +1 yes you are correct. most people, including XKCD, don't have a functional knowledge of sql injection. They just read it in a textbook and never tried it. Try reading "Hackpoofing mysql" by nccgroup. – rook Apr 09 '12 at 23:01

2 Answers2

1

Ali, SQL Injection is a common concept , not only restricted to PHP, although its not a hard and fast rule that , these actions can be executed thses cannot be, but yes it gives hackers a backdoor entry to your db schema insight, which in any way is dangerous, not only alterations, but is someone by any means get to see any of the information cna be dangerous.

Akash Yadav
  • 2,411
  • 20
  • 32
  • I've seen tutorial exclusively for `PHP` with example of second `DELETE` query. Of course, it is not only PHP and other scripting languages have also implemented such limitations for single query. – Googlebot Apr 08 '12 at 07:42
1

My point is to clarify if it is possible to make a second query in PHP.

In some circumstances - Yes.
It doesn't matter though, because injections aren't limited to adding second queries.

this latter question, however, contradicts with question title, which reads

Isn't SQL injection exaggerated?

and answer is definitely NO.
because

Is it possible to make a WRITE action by SQL injection on a SELECT query in PHP?

No matter if it's possible or not - a SELECT query can be no less disastrous than INSERT/UPDATE

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345