[web] SQL injection test
Author
would any of you be so kind to test some parameters in my registration script to see if you are able to push a successful SQL injection into the query
right now the script just prints the contents of the query rather than actually letting you guys inject into the database
here's the link to the page
let me know if you find any other security related issues I should know about too, I'm a noob when it comes to web stuff :P.
Absolutely not. Do you think we're totally stupid?
That site could belong to anyone, and you're (anonymously) asking us to do something potentially illegal or harmful to the owner of that site.
Send me back a signed contract which says who you are, you own it (I will be checking up on this) and it's alright for me to do that, and I might consider it (I will of course sign an NDA and charge a fee for this service too).
Mark
That site could belong to anyone, and you're (anonymously) asking us to do something potentially illegal or harmful to the owner of that site.
Send me back a signed contract which says who you are, you own it (I will be checking up on this) and it's alright for me to do that, and I might consider it (I will of course sign an NDA and charge a fee for this service too).
Mark
I'll take the risk. ;)
The outcome doesn't look like SQL query to me, but more like a function call. And since I don't know what happens in the function itself, I can't determine wether malicious SQL statements can be inserted.
But we could try to see some code by crashing the script. And it appears you only replace single slashes with two slashes. In SQL the slash isn't the real problem, it's the single quotes that normally would cause the most damage.
O, and you're not checking for html or scripting:
http://geekswhoshower.com/index.py?username=a<script>alert(":)")</script>&password=blah')blah&email=blah@blah.blah&page=register
(copy/paste, 'cause gamedev.net does check it).
The outcome doesn't look like SQL query to me, but more like a function call. And since I don't know what happens in the function itself, I can't determine wether malicious SQL statements can be inserted.
But we could try to see some code by crashing the script. And it appears you only replace single slashes with two slashes. In SQL the slash isn't the real problem, it's the single quotes that normally would cause the most damage.
O, and you're not checking for html or scripting:
http://geekswhoshower.com/index.py?username=a<script>alert(":)")</script>&password=blah')blah&email=blah@blah.blah&page=register
(copy/paste, 'cause gamedev.net does check it).
Just write a function to filter SQL keywords out of these kinds of inputs. Never directly feed SQL a string that came from a form or any other source, allways filter it somehow...
No don't filter it, something might get through that you forgot. In stead, use SQL parameters, that's the only way you can not get SQL injection.
Quote:Original post by edotorpedo
No don't filter it, something might get through that you forgot. In stead, use SQL parameters, that's the only way you can not get SQL injection.
err... and using SQL parameters isn't filtering?
Filtering will stop legitimate content which just happens to contain SQL keywords. After all, this post contains the words SELECT, INSERT, UPDATE and UNION. Gamedev hasn't filtered these words.
Mark
Mark
Author
Quote:Original post by WanMaster
I'll take the risk. ;)
The outcome doesn't look like SQL query to me, but more like a function call. And since I don't know what happens in the function itself, I can't determine wether malicious SQL statements can be inserted.
it's a call to an SQL function stored in the database
Quote:
But we could try to see some code by crashing the script. And it appears you only replace single slashes with two slashes. In SQL the slash isn't the real problem, it's the single quotes that normally would cause the most damage.
I don't care if it errors out on malicious input(I'll turn off erroring to browser so all they'll get is a blank page) as long as it doesn't get to the database, and the single quotes should be filtered out before the crash. As for filtering out the backslash, I would like to allow it and \ is an escape character, so I don't want funny things happening to people that want to use backslashes in their name.
Quote:
O, and you're not checking for html or scripting:
http://geekswhoshower.com/index.py?username=a<script>alert(":)")</script>&password=blah')blah&email=blah@blah.blah&page=register
(copy/paste, 'cause gamedev.net does check it).
holy crap, I will have to fix that when I get home, thanks for the heads up
As far as preventing SQL injection goes, filtering keywords is neither necessary nor sufficient to solve the problem. I'm not sure of Python's syntax, as I've not used Python, but in PHP a query string could be built something like this:
The first two lines take the input from a user form and escape the strings correctly for mysql. I'm not sure if an equivalent function exists for Python, but its behavior isn't very complicated, as documented here.
The third line simply inserts the correctly-escaped strings into a query string which will later be run as a query against a MySQL database.
Strings are escaped in different ways for different RDBMS's. You should consult the documentation for your particular database system for how to properly escape strings.
$Login = mysql_real_escape_string($_REQUEST['Login']);$Password = mysql_real_escape_string($_REQUEST['Password']);$query = "select * from User where Login='$Login' and Password='$Password'";The first two lines take the input from a user form and escape the strings correctly for mysql. I'm not sure if an equivalent function exists for Python, but its behavior isn't very complicated, as documented here.
The third line simply inserts the correctly-escaped strings into a query string which will later be run as a query against a MySQL database.
Strings are escaped in different ways for different RDBMS's. You should consult the documentation for your particular database system for how to properly escape strings.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
