Is SQL injection not possible if only one result is displayed on the page?

Question

I'm doing a SQL Injection project for my security module in college, and I'm trying to learn how it works.

I can see how it works when a script doesn't filter input, and then loops over a DB result set, displaying the data on screen. But as far as I can tell, the following code is NOT susceptible to SQL injection, as it is only expecting to display a single set of values on the screen:

<?php
mysql_connect("localhost", "root", "");
mysql_select_db("testdb");

$result = mysql_query("SELECT id, name, description FROM test_table WHERE id = ".$_GET['id']);

list($id, $name, $description) = mysql_fetch_row($result);

echo "ID: $id \n";
echo "Name: $name \n";
echo "Description: $description \n";

?>

If I set the value of id to:

1 OR 1 = 1 UNION SELECT id, username, password FROM users LIMIT 1, 1 -- 

The values from the UNION part of the query are not displayed, unless I run the mysql_fetch_row($result) statement twice, like so:

<?php
$result = mysql_query("SELECT id, name, description FROM test_table WHERE id = ".$_GET['id']);

list($id, $name, $description) = mysql_fetch_row($result);

echo "ID: $id \n";
echo "Name: $name \n";
echo "Description: $description \n";

list($id, $name, $description) = mysql_fetch_row($result);

echo "ID: $id \n";
echo "Name: $name \n";
echo "Description: $description \n";
?>

Only then are the values from the UNION part of the statement displayed, (i.e. username, password).

If anyone knows a thing or two about this, can you confirm that I am correct in saying that the above code is NOT susceptible to SQL injection, as it is only expecting to display a single set of values on the screen.

Please correct me if I'm wrong.

Thanks for your help.

Answer 1

Most people don't understand what injection is.

They confuse injection exploit with injection itself.

Speaking of injections, as long as you're allowing unwanted code in your query - injection IS possible, even if all you injected is "Hello Kitty" (outside intended boundaries).

So, the answer to all the millions questions newbie programmers can devise, "what if I have this", "what if I don't have that" is all the same - YES, injection is possible.

Speaking of exploits, there are much more techniques than you can imagine, some of them quite sophisticated. So, to answer the question "is this injection exploitable?" the answer is most likely YES too.

Therefore, don't bug yourself with question "is it possible?". This question makes not a slightest sense. All you need is to write injection-proof code. This is why this question is bad. Because you should ask

How to write injection-proof code?

instead.

Answer 2

SQL injection is the act of injecting unwanted commands into an SQL query. It does not have anything to do with what comes after, it is the act of being able to send commands that were not intended to the database. This can have consequences beyond displaying data on the front end. With a little bit of probing and guesstimating, it may be possible to discover the structure of your database. An attacker may then be able to cause the database to execute a query akin to:

INSERT INTO admins (username, password) VALUES ('foo', 'bar')

Et voila, the attacker has just created a root admin account with known password for himself and will come walking in through the front door.

Here's a nice story that walks you through it: http://www.unixwiz.net/techtips/sql-injection.html

Whether your particular database API would allow such queries to slip through or not is another point; but SQL injection is certainly not only about output.

Answer 3

An attacker could set id to this:

1 AND FALSE UNION SELECT id, username, password FROM users WHERE username="carl" LIMIT 1, 1 --

...and would get carl's relevant information. He could repeat the process for all usernames (or ids) and would still get a lot of information he shouldn't get. It would just take longer.

Therefore you can not generally say that querying only one row makes SQL injection "less dangerous".

Answer 4

SQL injection is the mere fact that the intention of an SQL command can be modified by externally-influenced input:

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, […] that could modify the intended SQL command when it is sent to a downstream component.

And this is definitely the case in your example.

Note that the lack of a trivial exploitation doesn’t make it any less a flaw. You may not be able to exploit it today, but maybe someone other is able, whether it’s today or maybe some times in the future.

Frankly, a lack of knowledge about SQL injection and SQL in general is why many fail to identify the vulnerability to SQL injections or their possible impact.

And you gave a perfect example for that lack of knowledge: … OR 1 = 1 is true for each row, so unless your table is empty the result set of the injected UNION SELECT will never show up in your results.

Also note that there are exploitation techniques other than UNION SELECT.

Answer 5

As a minor follow up to the earlier very good points to demonstrate why a single record returned is not in any way safe you can use the GROUP_CONCAT aggregate function.

For example an id of:-

1 AND FALSE UNION SELECT 1, 'fred', GROUP_CONCAT(CONCAT_WS('-', id, username, password) ORDER BY id) FROM users -- 

This uses the code from Hauke P. to ensure the first part of the query doesn't return anything, but then UNIONs on a query to get all the user ids, names and passwords. No need to guess as an existing id or name.

This will be fall down slightly due to the default max length of the field returned by GROUP_CONCAT, but by the time someone hits that they have probably already got the login details of 30 users, and they can easily add WHERE id > xxx to get the next batch of 30 or so.