-3

I'm trying to do this query in order to test for injection. Where is the error in my query? 

<?php

$query= "SELECT * FROM login where email = '1' or '1' = '1' limit 1;/*' and password = '1e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855223'";

$result = mysqli_query($connection,$query) or die(mysqli_error($connection)); 

?>

The result error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/*' and password = '1e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b785' at line 1

If I do the query inside mysql workbench it works fine, but when placed in mysqli it gives the error.

Thanks for your help and down count. The simple answer is to use # instead of /*.

Bye

Joe Santi
  • 1
  • 2

2 Answers2

0

MySQL supports /* ... */ style comment syntax, but you need to use the closing part. Since you're trying SQL injection, you don't typically have an opportunity to modify the SQL query except at one point. So you can't also append the */ closing part of the comment to the end of the query as well.

Example: you would need to add the closing comment syntax at the end, shown below, but because you're only using SQL injection on the $email variable, you can't do that. 

WHERE email = '1' or '1' = '1' limit 1;/*' and password = ... */
               ^^^^^^^^^^^^^^^^^^^^^^^^^^                     ^^

MySQL also supports ANSI SQL comment syntax, which is a single -- preceding the rest of the line. All of what follows -- will be ignored, and there's no closing syntax for this type of comment.

WHERE email = '1' or '1' = '1' limit 1;--' and password = ... 
               ^^^^^^^^^^^^^^^^^^^^^^^^^^

See https://dev.mysql.com/doc/refman/8.0/en/comments.html

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
-1

You can't enter a where clause (and password = [...]) after a limit clause. limit needs to be at the end of your query.

dearsina
  • 4,774
  • 2
  • 28
  • 34
  • look at my edit. If I place the string inside mysql workbench it works fine. But if I use it through the php mysqli It don't. Why is that? – Joe Santi Mar 03 '19 at 15:56
  • Because `mysqli_query` only allows _one_ query at a time. As soon as you end your query (by using the semicolon), it considers everything else after it an error. – dearsina Mar 03 '19 at 16:01
  • so how could this be injected? (password is using sh256 encoding) – Joe Santi Mar 03 '19 at 16:07
  • The way I prevent injection is that I'm militant about the kind of input I accept. `preg_replace()` is your friend. Is it the only way? No, but it covers most scenarios. – dearsina Mar 03 '19 at 16:13
  • @dearsina `preg_replace` to stop SQL injections? You should look at https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – user3783243 Mar 03 '19 at 16:39
  • @JoeSanti This could be injected with a `union`... it needs to be a single query execution. – user3783243 Mar 03 '19 at 16:40
  • @user3783243, `preg_replace()` strip away or comment out quotation marks and semicolons. Easy. There are more complex edge cases where `preg_replace()` won't work, but for 99% of injections, it does a decent job. – dearsina Mar 03 '19 at 20:29