4

Let's consider i have this line of code

$result = $mysqli->query("SELECT  * from myTable where field='".$_GET['var']."');

IMHO this is vulnerable to SQL injections.

So I'd like to prove it trying by sending via Get / URL a "var" param that will inject the query, with potential malicious code.

I actually tryed this:

var = "1'; TRUNCATE myTable; ";

I tryed to print out the SQL string query before executing it and it's actually 2 SQL valid statements.

SELECT  * from myTable where field='1'; TRUNCATE myTable;

1st problem But actually itseems that mysqli->query will not execute 2 statements at once. Isn't it?

2nd problem I see that a common technique to Inject queries is to per form injection then add comment chars to get rid of the tail of the SQL. Example:

"SELECT  * from myTable where field='".$_GET['var']."' AND field2 IS NOT NULL"

Can be injected with :

var = "1'; TRUNCATE myTable; # ";

But this problem arise and I'm missing the trick to get rid of it

if the SQL string in the code have new lines e.g. :

    "SELECT  * from myTable where field='".$_GET['var']."' 
     AND field2 IS NOT NULL"

If i use the above "var" the final result is

 SELECT  * from myTable where field='1'; TRUNCATE myTable; #  
     AND field2 IS NOT NULL

Second line won't be commented

How to test injection on this?

Many thanks.

Improve this question

1 Answer 1

Reset to default
2

1st problem But actually it seems that mysqli->query will not execute 2 statements at once. Isn't it?

That's right, if you want to execute multiple statements you need to use mysqli->multi_query. You can find a good explanation about multiple statements here: http://www.php.net/manual/en/mysqli.quickstart.multiple-statement.php

But this problem arise and I'm missing the trick to get rid of it

The problem arises because you are using multiple statements, and mysqli->query does not support them.

About your queries:

$result = $mysqli->query("SELECT  * from myTable where field='".$_GET['var']."');

You can inject this using for example 1' OR 1=1; that would return all entries of myTable on the query result.

"SELECT * from myTable where field='".$_GET['var']."' AND field2 IS NOT NULL"

Here you could use 1' OR 1=1 UNION ALL SELECT * FROM myTable WHERE '1'='1

Nowadays there are tools that can automatically check SQL injection for you, take a look at SQL Inject Me (Firefox Addon) for example.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for your answer. So, in your opinion, there's not actually a way to inject this code with some destroying approach... (e.g. adding a delete/drop/truncate) but only a spying approach (e.g. select where true | select x | union select all)?
Yeap, that's how I see it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.