-2

I'm trying to demonstrate a SQL injection in my app using Python Flask and MySQL. Various references have mentioned that only 1 query can be run at a time, but even when I tried to do it to run 1 query only, I haven't been able to succeed yet. My code is below. I know that the login_email parameter has made it to the query since I'm able to print it. If the query ran successfully, the result should be printed out at the bottom.

print(request.form['login_email'])
query = "SELECT * FROM users WHERE email = %(email)s;"
data = { "email" : request.form["login_email"] }
result = mysql.query_db(query, data)
print(result)

What I tried to input: ' or '1'='1

davidism
  • 121,510
  • 29
  • 395
  • 339
qccaprospect
  • 141
  • 1
  • 5
  • 14
  • you can try print out the content of ```query``` to see if it is quoted, most modern web framework is aware of SQL Injection , and somehow not that easy to break in – James Li Sep 20 '19 at 05:31
  • @bigdataolddriver: When I add in print(query), it prints out: SELECT * FROM users WHERE email = %(email)s; But in my terminal, it shows the following: Running Query: SELECT * FROM users WHERE email = '\' or \'1\'=\'1'; – qccaprospect Sep 20 '19 at 05:35
  • 3
    I have no idea what this question is about. You're using the mechanism to escape inputs in order to avoid injection and asking why it doesn't allow injection? The purpose doesn't make sense. – roganjosh Sep 20 '19 at 05:43
  • the point @roganjosh talking about, ```mysql.query_db``` is a injection defensive way of querying , if you keeping on using it , basically no injection can happen – James Li Sep 20 '19 at 05:49
  • I didn't know about that before. – qccaprospect Sep 20 '19 at 06:08

1 Answers1

-1

I think your SQL query is like this as below:

query = "SELECT * FROM users WHERE email = '{$email}';"
Kishore Kumar
  • 11
  • 3