2

So I have finished creating a database and I use php to insert data into it, I have been trying to do SQL injection attacks and other things to see if I am secure, but since I am no expert I was hoping to check that what I have done is secure and the correct way to go about.

I have this(names/variables have been modified) form and when the submit button is pressed, the function insert() runs

<form action="" method="POST">
  var1: <input type="text" name="var1"><br>
  var2: <input type="text" name="var2"><br>
 <input type="submit" value="Submit">
</form>

<php?
function insert() {
$connect = mysqli_connect("localhost","user","user","table");
$var1 = $_POST['var1'];
$var2 = $_POST['var2'];
mysqli_query($connect, "INSERT INTO column_name (var1, var2) VALUES ( '$var1','$var2'); ");
}
?>

and I can't seem to inject my form which has var1 and var2 with this

$var2 = '): DROP TABLE test --and several variants of this

From looking around I have found that mysqli_query will only accept one query so that is why it is not working. Correct me if I am wrong.

my other idea was affecting the PHP script that is running, by injecting the form with this

$var2 = "'); "); mysqli_query($connect,"DROP TABLE test");//

Question: can this type of thing happen? where you can affect the PHP function through the $post method while it runs? I have looked around and can't find anything. Is that because it can't?

any research papers, articles, etc. that I can have a look at to help if what I am asking is obvious would be appreciated :)

EDIT: I will be adding prepared Statements to make this secure

user3634933
  • 135
  • 1
  • 12
  • i dont think the second snippet will work. A variable does not execute unless your code takes a string then executes the string content. – Gokigooooks Apr 01 '15 at 05:18
  • Why not use prepared statements? http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 With your current code a user code inject all sorts of data. – chris85 Apr 01 '15 at 05:21
  • it seems that answering your second idea and explaining why that wont work/happen will only give me -4 points, so just remember, even though they inject something like 'mysqli_query($connect,"DROP TABLE test");' it will still be considered as string – Ceeee Apr 01 '15 at 05:56

3 Answers3

1

SQL injections use commands like union to run multiple queries at once at vulnerable place. Your form IS vulnerable, because you are either not using any sort of escaping, nor prepared statements. What if your $var2 would contain for example hi')? That would escape the brackets and open a vulnerability. Also if you just $_POST['value'] and insert it directly in database, it opens XSS vulnerability.

Eda190
  • 669
  • 1
  • 7
  • 20
  • You can use software for testing without SQL injection knowledge. For example [Havij](https://www.google.com/search?q=Havij+pro&ie=utf-8&oe=utf-8&gws_rd=cr&ei=J4wbVa-cOZfiaozPgpAG) – Eda190 Apr 01 '15 at 06:12
1

If you want to make sure your site is safe i suggest you:

Fisrt, Use prepare statement:

 $mysqli->prepare("SELECT Distinct FROM City WHERE Name=?");
 $stmt->bind_param("s", $city);
 $stmt->execute();

Second, Use filter_input method, for example:

filter_input(INPUT_POST,'email',FILTER_EMAIL);
Community
  • 1
  • 1
4EACH
  • 2,132
  • 4
  • 20
  • 28
-1

You are not supposed to certify your site against SQL Injection by trying to figure out how to exploit the hundreds of potential security breaches you leave all around the place.

If you want to make sure your site is safe, just take the applicable security measures, like using prepared statements.

Havenard
  • 27,022
  • 5
  • 36
  • 62
  • I understand that, but I thought a good way to learn about SQL injection was to give it a try since I haven't really seen it before. So I was wondering if the statements I was using were on the right track and I will be adding prepared statements into my database – user3634933 Apr 01 '15 at 05:40
  • read everything, i think the OP is really just trying things out, for learning purposes, (check out his form, doesn't look like its for production or something). – Ceeee Apr 01 '15 at 06:03