0

I am new to SQL injection and I want to ask something about the update statement

(not asking how to prevent the injection...... I am asking for example how to inject update statement to an update statement with SQL injection)

if I have a table named "users" and columns id, Fname, Lname, Ip, Sex, date, Signature and I use this to update 

mysql_query("UPDATE users SET Fname='$fname', Lname ='".$_GET["lname"]."', Ip ='$ip' ,Sex ='sex' WHERE id='$id'")

can you inject to update "Signature" too from the lname ? like how it works?

edit.php?id=1&lname=Boris&lname=' , Signature = '123&ip=123&Sex=1

(it's not working)

can you refer me where I can read on this? I tried to search SQL injection but I can't find how you can update inside update statement

Nikolaj Dam Larsen
  • 5,455
  • 4
  • 32
  • 45
boris
  • 13
  • 4
  • Putting it straight, I can make it so that the table `users` never existed – Rotimi Oct 14 '17 at 08:57
  • 3
    Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Rotimi Oct 14 '17 at 08:58
  • thanks for the replay i dont think its duplicate .. and can you give me example how can you "make that the table never exist" and please can you show me how can you update column likke Signature that its not in the statement so how can you update somthing if its not in the statement ? thank again ! edit : i didn't ask for how to prevent SQL injection .. i want to learn how injection in the update statement work – boris Oct 14 '17 at 09:07
  • you are pretty much correct, you just forget the urlencoding, it would be: `&Sex=1%27%20%2C%20Signature%20%3D%20%27123` – hanshenrik Oct 14 '17 at 09:55

3 Answers3

1

Since you inject the input directly into the query without any escape or validation, you basically let the user to run whatever query he wants in your database.

For example in this case let's say you only want to allow him edit his first name. Your query looks like this:

"UPDATE users SET Fname = '" . $_GET["fname"] . "' WHERE id = ".$_GET["id"];

If his input looks like this: id=1&fname=John SQL will run the following query:

UPDATE users SET Fname = 'John' WHERE id = 1

But let's say his input looks like this: id=1&fname=John', email='aaa Then SQL will run the following query:

UPDATE users SET Fname = 'John', email='aaa' WHERE id = 1

What just happened is that he updated his email even though you did not let him.

A few notes:

  • The example above is the least destructive example I was thinking of, with SQL injection the attacker can do much more malicious things, including hacking your server.
  • Even if it's an innocent user, let's say he inputs De'wayne to change his name, your query will fail.
  • You let your user update his details with id that comes from the input - BAD idea, he can choose whatever id he wants, that means he has access to update all users data.
  • You shouldn't use GET method to update/inserting things. Use GET only for fetching things.
HTMHell
  • 5,761
  • 5
  • 37
  • 79
  • @boris Well, didn't this answer your question? If not, what is your question? – HTMHell Oct 14 '17 at 09:52
  • yes, but your inject will not work on the "$query="UPDATE users SET Fname='".$_GET["fname"]."', Lname ='".$_GET["lname"]."', Ip ='".$_GET["ip"]."',Sex ='".$_GET["sex"]."' WHERE id=".$_GET[id]; " only on you statement .. example if my statement will be "mysql_query("UPDATE users SET Fname='$fname', Lname ='".$_GET["lname"]."', Ip ='$ip' ,Sex ='sex' WHERE id='$id'") " your injection will not work – boris Oct 14 '17 at 09:56
  • @boris WHY NOT? try it. The only reason I made the query shorter is to make it easier to read. If you don't have an email column you can change the injection to any other column you have. – HTMHell Oct 14 '17 at 09:58
  • can you read the topic ? i edit this due to it hard to explain in the comment .. (no enter ...) i tried what you said and you can see i said in the topic .. "edit.php?id=1&lname=Boris&lname=' , Signature = '123&ip=123&Sex=1" dont get mad my friend and again thank you for the helping – boris Oct 14 '17 at 10:03
  • @boris I'm not getting mad, it's OK. I hope you understand the logic and why it SHOULD work. About why it's not working for you, can you echo the final query instead of executing (`echo` instead of `mysql_query`), and write the output? additionally, update your query to something like that: `mysql_query($query)or die(mysql_error())` and tell me if you have any errors. – HTMHell Oct 14 '17 at 10:14
-1

you are pretty much correct, you just forget the urlencoding, it would look like: 

edit.php?id=1&lname=Boris&lname=Solnich&ip=123&Sex=1%27%20%2C%20Signature%20%3D%20%27123
hanshenrik
  • 19,904
  • 4
  • 43
  • 89
-2

i think this will help you

change your mysql script like this and this php v5.6 

mysql_query("UPDATE users SET Fname='$fname', Lname ='$lname', Ip ='$ip' ,Sex ='sex' WHERE id='$id'")
kelak shan
  • 19
  • 7
  • i didnt ask how to prevent it .. i asking for example how to inject update statement to an update statement with sql injection – boris Oct 14 '17 at 09:36
  • yes... after ill learn what i asking ill ask how to edit and delete php mysql but not for now .. i just want to know "how to inject update statement to update statement" – boris Oct 14 '17 at 09:52