0

I'm writing my final thesis and I need image illustration that one of my web input fields is sql injection safe! I have a php backend and a my sql database. I have used prepared statements for my queries so they should be safe right? However I need some screen dumbs of me trying to "hack" my input field to prove that it works. I'm not a hacker so I don't know any working examples. I know that I have to break the sql syntax somehow and then write some sql query that eventually would be run. I would like some really simple example, eventually truncate table or something like that, how can I illustrate this?

enter image description here

php Code that should be injection safe right? (please confirm ;)

if($action == 'layout'){
$pos = 1;
foreach($_POST as $key => $value) {
    if (strstr($key, 'se')){
        $values = [];
        foreach($value as $se) {
            $values[] = $se;
        }

        $stmt = $mysqli_link->prepare("REPLACE INTO tblSvgElement(PlaceID, SVG, SVGPosition, Path1Color, Path2Color, Path3Color) VALUES (?,?,?,?,?,?)");
        $stmt->bind_param("iissss", $zite_id, $values[0], $pos, $values[1], $values[2], $values[3]);
        $stmt->execute();
        $pos +=1;
    }
}
$stmt->close();
$mysqli_link->close();

}

Rasmus Puls
  • 3,009
  • 7
  • 21
  • 58
  • 2
    You will not be able to break it. [Are prepared statements safe?](https://security.stackexchange.com/questions/15214/are-prepared-statements-100-safe-against-sql-injection) [How do prepared statements protect me?](https://stackoverflow.com/questions/8263371/how-can-prepared-statements-protect-from-sql-injection-attacks) [How does a prepared statement avoid injection?](https://stackoverflow.com/questions/1582161/how-does-a-preparedstatement-avoid-or-prevent-sql-injection) – GrumpyCrouton Nov 17 '17 at 14:32
  • Thanks for confirming! How do I prove it with screen dumps? – Rasmus Puls Nov 17 '17 at 14:34
  • Who are you trying to prove it to? I attached some sources above, maybe you could just show them those. I feel like it would be pretty hard to take a screenshot of something like that. – GrumpyCrouton Nov 17 '17 at 14:35
  • I would try to inject sql and then take a screen dump of the record inserted. would this work: #000000'); DROP TABLE tblSvgs; if I did not have prepared statement? I tried that in my input and it just shows as a sting inserted, no queries were broken. But it is a bad example to include in my thesis if it would also not have worked without injection safe code. So I need an example that eventually would break the sql. – Rasmus Puls Nov 17 '17 at 14:40
  • Unfortunately I can't really help you there, I've never really tried to do sql injection – GrumpyCrouton Nov 17 '17 at 14:42
  • http://www.unixwiz.net/techtips/sql-injection.html Here are some good examples to try – pr1nc3 Nov 17 '17 at 14:43
  • why not to make one of your parameters to contain just `Robert'); DROP TABLE Students;--`? – Your Common Sense Nov 17 '17 at 14:45
  • You can find examples here, https://www.owasp.org/index.php/SQL_Injection. You won't be able to show it though. Also the `DROP` examples aren't the best example. Data manipulation or retrieving sensitive data to me is more common. You could first use http://php.net/manual/en/mysqli.multi-query.php with no binding and show what happens, then show the affects with this query. – chris85 Nov 17 '17 at 14:57
  • Thanks. So to clarify; if I put in my input: `code #000000'); DROP TABLE tblSvgs; --` it would have been successfully broken without the prepared statement ? @YourCommonSense – Rasmus Puls Nov 17 '17 at 15:03
  • Not really, but it would have caused a query error, but in some circumstances it would drop table Students, so we can pretend it's harmful enough – Your Common Sense Nov 17 '17 at 15:08

0 Answers0