SQL-Injection

With SQL Injection, the point is that you try on forms or URLs, through specific inputs, the original SQL statement, which processes the input, overturn and execute modified SQL code.

Example at login: I enter the following username:

fasse' --

I type something as password.

The original SQL statement, which processes these input usually looks like this:

SELECT COUNT(*) FROM adm_users WHERE usr_loginname = '". $_POST["name"]. "' 
AND usr_password = '". $_POST["password"]. "'

Now I put the contents of the variable in:

SELECT COUNT(*) FROM adm_users WHERE usr_loginname = 'fasse' --' AND usr_password = ' '

Through my apostrophe right behind “fasse” I finish my name in the SQL statement and commited by the two lines, that everything after that is a comment . Thus the statement will return i COUNT = 1 and have reportedly found valid login data, although I didn't have entered a valid password.

In PHP there is the parameter magic_quotes_gpc, which is activated in the default XAMPP. This is for all transfer variables ($ _POST, $ _GET …) the backslash before each quotation mark. If this parameter is not activated, it will be rescheduled from Admidio since version 1.5 using the function addslashes(). A call to the prepareSQL function is therefore no longer necessary and the function is then also soon to be removed.

  • en/entwickler/sql-injektion.txt
  • Last modified: 2016/12/03 15:13
  • by ximex