-3

I have input values like user can upload a photo, enter a username, password...etc

I want to test the SQL injection by myself and I want some way to prevent it.

I am using MySQL I know some of you will say use PDO or MySqli BUT at this time I am still having Mysql as database.

Thank You!

freitass
  • 6,542
  • 5
  • 40
  • 44
Youssef Subehi
  • 2,790
  • 1
  • 18
  • 20
  • i sow this one @JohnConde BUT pleas read my question good i want you to tell me HOW do i inject it ! – Youssef Subehi Jan 23 '14 at 18:51
  • 3
    Just because you are using a MySQL database doesn't mean you can't use PDO or MySQLi extensions on the client side. – Mike Brant Jan 23 '14 at 18:51
  • @YoussefSubehi You can look into penetration testing services or tools to "attack" your application with all sorts of exploits - SQL injection, XSS, CSRF, etc. – Mike Brant Jan 23 '14 at 18:53
  • There are [testing tools](http://sqlmap.org/) that will find all kinds of absolutely horrifying things. Be very careful to test only a development copy as you might accidentally trash your production system if it's full of holes. – tadman Jan 23 '14 at 18:53
  • PDO and MySQLi are just different ways to connect to MySQL Database, you don't need to change your database. – Arian Faurtosh Jan 23 '14 at 18:56
  • Why is this is perfectly reasonable question getting downvoted? There seems to be a nasty-gang on StackOverflow who get pleasure from attacking newbies. – Nigel Alderton Jan 23 '14 at 19:54
  • i don't know why it's down and i don't care im here to ask and learn i don't care about other response down or up im here for answer and ger the answer.@NigelAlderton thank you but there is a lot of nasty-gang as u said – Youssef Subehi Jan 25 '14 at 20:14

4 Answers4

1

When testing an application of this sort, put values like this in every field:

<div style="background:red">It's Buggy</div>

If that isn't inserted correctly, you'll have errors. If it is inserted correctly and rendered as unescaped HTML you'll know immediately.

This applies to every single parameter that can come in via $_GET or $_POST.

Writing with mysql_query is hazardous at the best of times, and downright reckless if you're not extremely careful. PDO works well with MySQL and doesn't take that long to learn if you follow a good tutorial.

You should be writing queries like this:

INSERT INTO users (name) VALUES (?)

The ? is a data placeholder that you can safely bind against.

A better approach is to use something like Propel or Doctrine to provide a proper database layer. This makes your code much more readable and portable between MySQL and other databases.

tadman
  • 208,517
  • 23
  • 234
  • 262
1

Many documentation on google. See : https://stackoverflow.com/a/60496/2226755

Try putting ' or " in your input, if you've an error it's a sql injection.

Understanding SQL Injection

Community
  • 1
  • 1
user2226755
  • 12,494
  • 5
  • 50
  • 73
  • That's a very superficial test as there are ways of sneaking around that using UTF-8. Someone who's used `addslashes` might think they're safe, but couldn't be more wrong. – tadman Jan 23 '14 at 19:01
0

you can inject in SQl with code like anything' OR 'x'='x you can easily prevent this, just google "sql injection example(s)" and see for yourself

Renze
  • 36
  • 6
  • 1
    An answer that says "Google it" is not really an answer at all. – tadman Jan 23 '14 at 19:02
  • if you think i'm going to place all sql injections i know here, you're wrong. He asks for examples, i gave him one and an instruction to learn more of them, fair enough i suppose – Renze Jan 26 '14 at 16:38
0

Injection techniques vary based on the use case. As an example for username/password checks, given this SQL:

SELECT user_id 
FROM users 
WHERE name = "$_POST['name']"
AND password = "$_POST['pass']";

...in this case, passing a simple " OR "" = " for the POSTed password field would yield this:

SELECT user_id 
FROM users 
WHERE name = ""
AND password = ""
OR "" = "";

...and BAM! There are user_id results where in reality there aren't supposed to be.

This is just one isolated case. I'd suggest looking into using PDO as your database driver to do injection checking for you!

jterry
  • 6,209
  • 2
  • 30
  • 36
  • 1
    Also, [the link suggested](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) by @tadman is a great resource... just take the time to learn PDO. It'll save you _tons_ of time compared to your entire system being hacked and going down. – jterry Jan 23 '14 at 19:05