0

what is the worst that could happen to my database if my PHP code has a SQL injection vulnerability in the where statement, ie SELECT * FROM table WHERE id='$unescapedstring'?

sorry forgot to mention mysql

matthewdaniel
  • 1,446
  • 12
  • 16
  • Root shells opening on your server, I guess... also you might expose all your users' data and their passwords and sexual preferences, etc. – Kerrek SB Jul 23 '11 at 00:15
  • I don't know what the worst that could happen is. It's very subjective. My answer to a previous question might help though: [SQL injection on INSERT](http://stackoverflow.com/questions/6784902/sql-injection-on-insert/6790701#6790701) – Mike Jul 23 '11 at 09:41
  • Note that [mysql_query](http://php.net/manual/en/function.mysql-query.php) does not allow multiple semi-colon separated queries to be run. [mysqli::multi_query](http://php.net/manual/en/mysqli.multi-query.php), however, does. – Mike Jul 23 '11 at 09:48
  • There are also many ways an SQLI vulnerability could be used to achieve arbitrary code execution. https://security.stackexchange.com/q/77039/103470 – Андрей Беньковский Aug 20 '17 at 08:45

3 Answers3

4

What if $unescapedstring is set to cake';DROP TABLE 'table';--? That'll execute the select, followed by the DROP TABLE statement. Replace the drop table with whatever sql you want, and you've got yourself the ability to execute any SQL. They can download your database, or wipe it, or modify records...just don't do it. Sanitize your inputs! Otherwise, your users have free reign on your database.

Cyclone
  • 17,939
  • 45
  • 124
  • 193
  • 2
    Note though that PHP's `mysql_query` only executes on statement at a time. – Kerrek SB Jul 23 '11 at 00:14
  • 2
    @Kerrek Note that OP's question does not mention `mysql_query` at all. – Cyclone Jul 23 '11 at 00:17
  • The tags sort of suggested it, though. Fair point, though. – Kerrek SB Jul 23 '11 at 00:18
  • @Kerrek And even if it did, then unsanitized user input could still be used to modify the select query by adding additional parameters. – Cyclone Jul 23 '11 at 00:20
  • 1
    Of course, I'm not saying that this is in any way tolerable! I just wanted to remark that the traditional Bobby Tables approach `x' OR 1; DROP ALL; --` doesn't usually work. – Kerrek SB Jul 23 '11 at 00:23
  • It's the first injection vulnerability that comes to mind usually for me, xkcd is always lingering in the back of my mind on this subject. Either way, it's good practice to just sanitize your input so no attacks of any kind can get through. – Cyclone Jul 23 '11 at 00:25
1

The worst that can happen? I'd say that anything can happen with that query.

For example, I submit this:

unescapedstring: '; (any other query)

Now, your query becomes:

SELECT * FROM table WHERE id=''; (any other query)

From there, I have the ability to execute any MySQL command. I can drop your whole database, I can edit it, I can download your database, and if your server permits, I can even go as far as rooting your actual server.

Basically, the attacker has full access to your MySQL installation. Expect anything.

Blender
  • 289,723
  • 53
  • 439
  • 496
1

While the other answers are completely correct, if you have your mysql user accounts set up correctly, the account executing those queries probably shouldn't have permissions to alter/create/drop tables/databases. Therefore, worst that could happend in that scenario: DELETE FROM table

Endophage
  • 21,038
  • 13
  • 59
  • 90
  • 1
    "worst that could happend" is pretty subjective, I'd rather lose my entire table than have an admin account sneakily modified or expose my user data to the general public. Haven't you heard of wikileaks? – Cyclone Jul 23 '11 at 00:26
  • 1
    Oh not to mention, if database contents are ever displayed (unescaped) in the user's browser, your users are also at risk for XSS vulnerabilities as well. And they now have your whole list of emails. – Cyclone Jul 23 '11 at 00:30
  • Ideally the account executing these queries should only have "SELECT" privileges and thus not be able to DELETE FROM table. Ideally "DELETE FROM table" is no big deal - b/c you were backing this stuff up right? So I guess there is no reason to worry about this stuff, if you get everything else perfect, right? – emory Jul 23 '11 at 00:45
  • @emory Any kind of CMS and you're going to need delete, update and insert. Many require create, drop and alter too for plugins. Personally I make the alterations locally then replicate those changes to the production environment but there are plenty of people that don't. – Endophage Jul 25 '11 at 15:00
  • @Cyclone I don't disagree that there are potentially worse things that could happen to the data in the database. Bu the worst thing that could happen to the database, which is what the OP requested, is deletion/dropping of a table. – Endophage Jul 25 '11 at 15:01