3

So I know the basics of a SQL injection attack, with entries that are not sanitized. So 

SELECT id FROM users WHERE username='$username' AND password='$password'

(Note that $password is hashed) would be defeated with $username=x' or 1=1; --

A friend said that if you throw a \n character into your source code, then you can't comment the rest of the query out. So if you have 

Select id
from users
where username='$username'
and password='$password'

in php, and then submit it to the query, then even if they tried to comment out the username, it would error because the and password='$password' would still try and be executed.

I tried it, and he seems to be correct. So, my question is, while you should still sanitize your database inputs, does this prevent an attack like this, or is there a way to bypass it still?

I don't know if it matters, but I'm talking specifically about mysql here.

ci0ccarellia
  • 795
  • 9
  • 26
jnesselr
  • 941
  • 1
  • 7
  • 12
  • here's the best article for that, use `PreparedStatements` http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php – John Woo Feb 04 '13 at 09:18
  • Thanks for the article link! Why was this question down voted, by the way? Did I do something wrong that can be improved next time, or was it just the topic of the question? – jnesselr Feb 04 '13 at 18:30

1 Answers1

2

I toyed around a bit with this, but I don't see this method of using newlines helping at all. Maybe there's some differences between different versions of mysql clients, but running PHP with MySQL-ND adding the newlines doesn't seem to help against sending the username x' OR 1=1 OR ', this doesn't rely on the -- commenting at all, which effectively defeats the whole purpose of the newline.

There may be easier and other ways around it as well, but it seems quite easily defeated at least. I would never trust a "clever solution" like this.

SilverSnake
  • 562
  • 2
  • 12