Skip to content

SQL Injection Attack – Notes For Self Understanding

I’m taking a PHP course at Lander College and part of that is coding defensively. The subject of SQL injections came up in last night’s class, and got me reading the following resources:

What I have learned:

Step 1: Check whether the SQL server sanitizes user input (i.e. escapes bad characters or everything but good characters, which is apparently the better, safer approach).

You can do this by adding a single quote to the area where user input is taken, and looking at the result. If you get an sql error, then the user input is not sanitized.

Step 2.0: If you’re unaware of the database’s table and field names, you need to discover them.

Ideally, you want the server to reveal them to you, which may be possible depending on the software version. So you need

Step 2.1: Discover server version

*Need to go back and understand how this works* – roughly you try to execute a command that returns the software version back to you.

Provided the version is vulnerable, you can

Alternately you do

Step 2.1b: Guess and check the table and field names

You can check whether a field or table name exists by appending a second condition – if it’s true and you get no error, this must mean that your guess was correct. Otherwise you’d get an sql syntax error.

Step 3: Execute malicious SQL

EX.: Read everything in the database with Select * From table

Or Change someone’s email to your own, then request the password reminder or password change. Then you can login as them.

Posted in Business.

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Some HTML is OK

or, reply to this post via trackback.