SQL injection will occur only when there is a form to submit?

Question

I am confused about sql injection how about the $_GET or other instance that it can happen like the things I don't know?..

Could you explain why you think, that it can occur only on form submit? — Yupik, Dec 21 '17 at 07:44
for a begginer like me, i think it happens when a user input something or fill-up something that will be store in your database and if you didn't sanitize it, then the data will damage your database.. — Arel, Dec 21 '17 at 07:49
Basicly there is always a possibility to an SQL injection if there is some kind of user input involved. — Kevin Böhmer, Dec 21 '17 at 07:51
@Yupik guarding the only "user input" YOU are calling for a disaster — Your Common Sense, Dec 21 '17 at 11:16
@YourCommonSense guarding only user input is just stupid (like you said), im not saying that he should guard only this thing, because prepared statements should be used everywhere in application (by raw queries youre just asking for a disaster, exacly as you said) ;). — Yupik, Dec 21 '17 at 11:29
Thanks for people who answer a question as far as they understand it, it is a big help for us as a beginner rather than holding the question for a generalize reason. — Arel, Dec 21 '17 at 14:27

sorak · Accepted Answer · 2017-12-21T07:53:39.690

1

SQL injection happens whenever you have data submitted by a user that you integrate into a query and pass to the server without checking it. This could just as easily occur with a GET parameter.

Consider if you have user pages at: /user/{userid}

Someone requests: /user/1;DROP TABLE users;

If you were building a query like this:

SELECT * FROM users WHERE id=$userId

... that query would now be:

SELECT * FROM users WHERE id=1;DROP TABLE users;

So you can see why this might be an issue.

edited Dec 21 '17 at 07:53

answered Dec 21 '17 at 07:51

sorak

2,607
2
16
24

your last example would not work, because "where id=;" is not a valid sql expression – Kevin Böhmer Dec 21 '17 at 07:53
It just needs to get the point across. This is an important concept, not a hacking lesson. – sorak Dec 21 '17 at 07:54
1

Yes, of course but the op doesn't seem to be a person that is very familiar with SQL injection, so it might be good to give an working example, so he could try on his own. Anyway you have edited it, so its fine :) – Kevin Böhmer Dec 21 '17 at 07:56
it is ok I understand the logic. – Arel Dec 21 '17 at 08:02
It is, to a point, but you should never trust user input. Always look at expected data types and make sure it's right. In this case, you want to be working with an integer, so it would protect you if you just cast $userId as an int, with (int) or intval() – sorak Dec 21 '17 at 08:03
Copy that sir, but one thing, if the input is generated by my script like date function, do I need to filter it? every data which is made by my script not came from user do I need to sanitize it? or no need. – Arel Dec 21 '17 at 09:42
Data you generate is fine. You just can't trust anything from the user. – sorak Dec 21 '17 at 09:44

score -1 · Answer 2 · answered Dec 21 '17 at 08:19

Sorak already answered your question, but to give more details..

SQL injection vulnerability is exploitable when the SQL query in your application is being formed with user supplied data without proper sanitization. It could be done many ways For ex.

a form with POST request
or a blog post/dynamic web page (GET request) with URL parameters (http://example.com/?postid=212)
or a RESTful resource with path parameters (http://example.com/postid/212)
or even in JSON/XML request submitted to an API or application.

Not only in web applications, but also back end APIs are vulnerable for this attack if data validation is not done properly before executing SQL queries, because the api consumer can inject malicious queries to take over the server/corrupt the data/dump entire table or even DB if possible.

For ex. Facebook API has to deal with 1000's of third party applications/mobile apps on daily basis. Lets suppose if the API is vulnerable to this attack then any of these API consumers can exploit it to gain some control over app servers/data based on the severity of the injection.

Please comment here why this answer is down voted. – kakurala Dec 21 '17 at 10:42 — kakurala, Dec 21 '17 at 10:42

Agnius Vasiliauskas · Answer 3 · 2017-12-21T10:37:49.643

SQL injection can happen anywhere where user has control over SQL query parameters sent to database engine. This includes GET / POST, etc.

Consider we have database table COMPANY, where we are saving company data and WORKER table which saves employee salaries. We would like to build a page which extracts from database companies list established on a date supplied by a user in URL.

Our code is :

<?php

class RamDb extends SQLite3
{
    function __construct()
    {
        $this->open(':memory:');
    }
}

$db = new RamDb();

// table mockup
$db->exec("CREATE TABLE COMPANY(
                       NAME STRING,
                       ESTABLISHED INT
                              )
          ");
$db->exec("CREATE TABLE WORKER(
                       NAME STRING,
                       SALARY INT
                              )
          ");

$db->exec("insert into company(name, established) 
           select 'TotalFun Inc.', 1970 
           union 
           select 'Cheap Prices, LLC', 1970
           ");

$db->exec("insert into worker(name, salary) 
           select 'Tadeus Mackevic', 120000
           union 
           select 'Sandra Lipkovic', 230000
           ");

$sql = "SELECT * FROM company WHERE ESTABLISHED = {$_GET['year']}";

$result = $db->query($sql);

$data = [];
while($row = $result->fetchArray(SQLITE3_ASSOC)) {
    $data[] = $row;
}

var_dump('<xmp>',$data, '</xmp>');

Now if normal user requests companies created on 1970 year, like that http://localhost/companies.php?year=1970, then we get companies list:

array(2) {
  [0]=>
  array(2) {
    ["NAME"]=>
    string(17) "Cheap Prices, LLC"
    ["ESTABLISHED"]=>
    int(1970)
  }
  [1]=>
  array(2) {
    ["NAME"]=>
    string(13) "TotalFun Inc."
    ["ESTABLISHED"]=>
    int(1970)
  }
}

However what if some malicious user would like to get employees salaries instead of company list ? Then he/she could use SQL injection by submiting such URL http://localhost/companies.php?year=0%20union%20select%20name,%20salary%20from%20worker and get worker salaries list:

array(2) {
  [0]=>
  array(2) {
    ["NAME"]=>
    string(15) "Sandra Lipkovic"
    ["ESTABLISHED"]=>
    int(230000)
  }
  [1]=>
  array(2) {
    ["NAME"]=>
    string(15) "Tadeus Mackevic"
    ["ESTABLISHED"]=>
    int(120000)
  }
}

In general SQL injection means submitting SQL statements along with field values to web server

SQL injection will occur only when there is a form to submit?

3 Answers3