About set id=1 and password = ' ' in the SQL injection

Question

Here is certain expert's code:

https://github.com/DalerAsrorov/Security-Flaws-And-Their-Prevention/blob/master/SQL%20Injection%20Prevention/FCCU.php#L34

In this example, at first line 34 and 35 doesn't exist. So, it have one bug as described here:

https://github.com/DalerAsrorov/Security-Flaws-And-Their-Prevention/blob/master/SQL%20Injection%20Prevention/exploit3.txt#L21-L24

Set id and password as:

i)' OR '1'='1
ii)' OR ''='
iii) hi' OR 'x'='x

Which also mentioned here:

https://github.com/nathanctung/UCLA-CS-136/blob/1a883e2a6d1014fb5b162b332c867f6b4ef1e461/Assignment%203/submit3-1415097322/exploit3.txt#L21-L25

I am a noob in SQL and php. Really don't know why is this. I'd appreciate if you can tell me.

Update:

In this case, I should have input username and password to log in. But this bug enable one to input something else to log in and see some private content which only accessible to certain group. And the 34 and 35 line fix this bug. I don't know really understand this bug, why some other input enable you to log in?

Possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — vascowhite, Feb 06 '17 at 00:44
@Darren I add something else. I'd appreciate if you can help me to fix topic. — fourth, Feb 06 '17 at 01:06

score 0 · Answer 1 · answered Feb 06 '17 at 00:39

Guess you're asking for how this works?

Well- if you logically check password='secret' you get true and are thus allowed to enter. password='dunno' should and will get you false and keep you from entering.

But logically password='whatever' OR true will get you true again. Just that you have a syntax error without dealing with the apostrophe. So the above versions deal with them - but essentially they achieve the same.

score 0 · Accepted Answer · edited Dec 05 '19 at 07:42

In PHP, if you want to verify if user_id and password is correct (notice that this program use user_id, instead of username), usually you write the query like this:

SELECT * FROM user WHERE id = <input_id> AND password = <input_password>

Then, you check if the query returns empty row, then it is invalid user. If the query returns 1 row, then the username and password is correct.

Now, if I want to login as other user (the other user's id is 1 in this case), I will insert 1 in the id column. However, I dont know the password. So, I must find a way to make these part in the query always return true password = <input_password>

One way to do that is by using password = 'random_string' OR password != ''. As the password always more than 0 character, the latter logical expression will always return true. So, I want the query to be something like this

SELECT * FROM user WHERE id = 1 AND password = '<random_string>' OR password != ''

Therefore, I will insert 1 in the id, and test' OR password != ' to make the query like above.

This query will never return empty row as long as user_id with value 1 exists, and you can login as user 1 in the application.

About set id=1 and password = ' ' in the SQL injection

2 Answers2