-2

while am trying to understand sqlinjection i didn't get this part,first this is my code 

<?php
include "../chat/db.php";
if (isset($_GET['id'])) {
    $id = $_GET['id'];
    $query = "select user_n,user_id from users where user_id<$id union select 1,2 ";
    $sql = mysqli_query($con, $query);
    if ($sql) {
        if (mysqli_num_rows($sql) > 0) {
            while ($result = mysqli_fetch_assoc($sql))
                echo "user name: " . $result["user_n"] . "of the id= " . $result["user_id"] . "</br>";

        } else {
            echo "there's no results";

        }

    }

} else {
    echo "error";
}
$tt = rand(0, 30);
?>
</br>
<a href=<?php echo "sql.php?id=" . $tt; ?>> <?php echo $tt; ?>  </a>

results are fine as u see in this pic results

what i dont understand is this union select 1,2 result

{user name: 1of the id= 2} shows up because

union select 1,2

my question is why it shows up like that please if can some one explain this step of "select 1,2" thank you and sry if something not clear or i explain my point badly.

Supun Praneeth
  • 3,087
  • 2
  • 30
  • 33
mohamed saci
  • 13
  • 2
  • 2
    Please post text as text into the question, not as 3 separate links to 3 separate images. – deceze Jun 18 '18 at 08:07
  • 2
    The same result shows up as the last row in your first picture. This has nothing to do with SQL injection. You're just unioning another row to the end of your results. – deceze Jun 18 '18 at 08:14
  • my question is "select 1,2" what it is doing her ? how it's working ? we didn't give it any inf to select – mohamed saci Jun 18 '18 at 08:19
  • 1
    @mohamedsaci It just returns one row containing a cell with value "1" and a cell with value "2". You can easily try it out yourself in a database. This has nothing to do with SQL-Injection. This is just basic SQL. – Ivar Jun 18 '18 at 08:21
  • https://dev.mysql.com/doc/refman/8.0/en/union.html – deceze Jun 18 '18 at 08:23
  • i get it ,Thank you . – mohamed saci Jun 18 '18 at 08:28
  • Having said that isn't this still open to SQL injection? – Progrock Jun 18 '18 at 09:26

1 Answers1

0

Any request can manipulate the query through SQL injection.

For example, I could make a request of your page:

http://example.com/chat/index.php?id=0+UNION+SELECT+TABLE_SCHEMA,TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES

Basically, anyone can inject any SQL query as long as that query selects two expressions. Just add a number to finish the id < $id expression, but the value of $id can go on with anything else the request passed to the PHP code.

I don't know why the query includes union select 1,2. I suppose this is an example coding exercise in a class teaching you SQL injection risks, and the union select 1,2 is a way for the instructor to give you a hint that the SQL injection involves UNION.

You could make this query safer in either of two ways:

  1. Cast the parameter to a number, which removes any non-numeric part:

    $id = (int) $_GET['id'];

  2. Use a query parameter:

    $query = "select user_n,user_id from users where user_id < ? union select 1,2 ";

See How can I prevent SQL injection in PHP? for more details on query parameters.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828