1

I have this code on my controller:

$sql = "SELECT * FROM user WHERE id = " . $this->input->get('foo'); 
$foo = $this->db->query($sql);
echo '<pre>';
print_r($foo->result());
echo '</pre>';
die();

I've noticed that if I use this URL:
www.site.com?foo=1 OR 1 = 1
all data of the user table is shown:

Array
(
[0] => stdClass Object
    (
        [id] => 1
        [email] => [email protected]
        [password] => aaa
    )
[1] => stdClass Object
    (
        [id] => 1
        [email] => [email protected]
        [password] => bbb
    )
[2] => stdClass Object
    (
        [id] => 1
        [email] => [email protected]
        [password] => ccc
    )
)

Is it possible to run another query that returns the data from the user_phone table?

Tables:

CREATE TABLE `user` (
  `id` INT(11) UNSIGNED NOT NULL AUTO_INCREMENT,
  `email` VARCHAR(100) NOT NULL,
  `password` VARCHAR(255) NOT NULL
  PRIMARY KEY (`id`),
) ENGINE=INNODB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8


CREATE TABLE `user_phone` (
  `id` INT(11) UNSIGNED NOT NULL AUTO_INCREMENT,
  `id_user` INT(11) UNSIGNED NOT NULL,
  `number` INT(11) UNSIGNED NOT NULL
  PRIMARY KEY (`id`)
) ENGINE=INNODB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8

Data:

INSERT  INTO `user`(`email`,`password`) VALUES ('[email protected]','aaa');
INSERT  INTO `user`(`email`,`password`) VALUES ('[email protected]','bbb');
INSERT  INTO `user`(`email`,`password`) VALUES ('[email protected]','ccc');

INSERT  INTO `user_phone`(`id_user`,`number`) VALUES ('1','911911911');
INSERT  INTO `user_phone`(`id_user`,`number`) VALUES ('1','922922922');
INSERT  INTO `user_phone`(`id_user`,`number`) VALUES ('2','955955955');
INSERT  INTO `user_phone`(`id_user`,`number`) VALUES ('3','711711711');

Thks

EDIT:
I'm aware of the existing mechanisms to prevent this from happening.
My question is if it's possible, and how, can I get data from other tables.

Improve this question
5
  • 1
    use real_escape_string or something similar to prevent injection. never trust user input Commented Aug 21, 2015 at 19:31
  • 3
    Can you use parameter binding instead of directly concatenating values like that? You're essentially executing user input as code. Commented Aug 21, 2015 at 19:33
  • 1
    are you asking for the injection string? in short, yes, it is possible to run a query that will output data from any and all tables/databases that the current mysql user has access to, and more Commented Aug 21, 2015 at 19:34
  • 1
    Hi guys! Thks for the replies. I'm aware of the functions/methods that can prevent this from happening. My question is if it's possible, with this code, return data from other tables. Thks! Commented Aug 21, 2015 at 19:43
  • 1
    you want data from table users and user phone? Commented Aug 21, 2015 at 23:33

4 Answers 4

Reset to default
3

I think it's going to be like this.

www.site.com?foo=1 OR 1 = 1 union select * from user_phone where user_phone.id_user = user.id
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Hi volkinc! It fails on the user.id (Unknown column 'user.id' in 'where clause') but I get the picture. Thks a lot!
0

CI comes with functions to escape variables for exactly this reason.

$foo = $this->input->get('foo');
$foo = $this->db->escape($foo);
$sql = "SELECT * FROM user WHERE id = {$foo}"; 
$foo = $this->db->query($sql);
echo '<pre>';
print_r($foo->result());
echo '</pre>';
die();
Improve this answer

1 Comment

Hi Jim. I'm aware of the escape method. My question is if it's possible with this code return data from other tables.
0

You should be able to bind your query using something like this:

$sql = "SELECT * FROM user WHERE id = ? AND name = ?"; 
$foo = $this->db->query($sql, array('foo', 'bar'));

As for getting data from other tables, you'd just need to construct a more elaborate sql query

Improve this answer

Comments

0

You asked about querying data from 2 tables, to query 2 related tables you can use join. In your example user and user_phone are related. You perform sql queries with join like demo below. The user primary_key is the glue in user_phone table. 1 - select * 2 - pass the id we want to retrieve 3 - from which table 4 - perform a join or multiple joins 5 - get the result try this 

$this -> db -> select('*');
$this -> db -> where('id' => '1');
$this -> db -> from('user');
$this -> db -> join('user_phone', 'user_phone.id_user = user.id');
$query = $this -> db -> get();
Improve this answer

3 Comments

Can you explain your answer? An answer is much more useful if it explains what is being done so that its techniques can be applied to other situations.
right, I was in a bit of a rush, I added info to explain what the statement does and how it is done. Thanks for pointing that out though :).
Hi mdamia. Thk you for the reply. Basically, my question was how to join tables using SQL Injection, not using code.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.