in system is protected against sql injection

2018-07-03 15:58:39

So for a school project I have to make a site with a log-in system. It has a username and password field, and a submit button. It compares the username and password with those in a MySQL database. If the combination is in the database, the user may proceed, else they are redirected to the log-in page. I use prepared PDO statements for my database connection.

Now my teacher wants me to test the safety by performing sql attacks on the log-in system. Unfortunately I have no idea what to put in these boxes, and what would be the outcome. For example, I have tried putting values in both username and password fields that will return true, like this:

1==1,  1===1,  0 is null

But I do not know whether or not I have succeeded and if attackers may access or truncate my database by these sort of statements.

Html code:

<form method="post" action="includes/login.php">
<input type="text" name="gebruikersnaam" >
<input type="password" name="wachtwoord" >
<input type="submit"  value="login">
</form>

Php authentication:

$myusername=$_POST['gebruikersnaam']; 
$mypassword=$_POST['wachtwoord']; 
$sql="SELECT * FROM leerling WHERE leerlingnummer='$myusername' and wachtwoord='$mypassword'";
$sql2="SELECT * FROM lop WHERE gebruikersnaam='$myusername' and wachtwoord='$mypassword'";
$statement2=$conn->prepare($sql2);
$statement2->execute();
$count2=$statement2->rowcount();

if($count2==1){proceed}

$statement = $conn->prepare($sql);
$statement->execute();
$count= $statement->rowcount();

if($count==1){proceed}

else {deny access}

Imagine this query:

SELECT id FROM users WHERE email=? AND password=? LIMIT 1

Now imagine the values would be foo@bar.hello and an empty string for password :

SELECT id FROM users WHERE email='foo@bar.hello' AND password='' LIMIT 1

This would not be harmful if these credentials are not in your database. Now lets give different input:

For email we fill in an empty string, and for password we insert ' OR 1=1 (Note the first apostrophe)

Your teacher wants you to find out whether this means your SQL server will execute the following query:

SELECT id FROM users WHERE email='' AND password='' OR 1=1 LIMIT 1

SQL is a declarative language with which you declare the expectations you have for your result. If your server would interpret our input as stated above, the first users id would be considered correct, simply because one is equal to one.

As it is, it is susceptible to SQL injection

The thing to look at when trying to inject is can I close the statement I'm in right now and add more to the end.

so if you enter username = 123456' -- the SQL statement becomes SELECT * FROM leerling WHERE leerlingnummer='123456' --' and wachtwoord='unimortant'

the -- starts a comment so all it does is select whatever student number is entered ignoring the password.

PDO has good alternatives to prevent this from happening called Prepared Statements. You declare your SQL queries and only enter where user infromation is going to be entered by using a ? or :lable and then bind user input to those points. The page does a way better job at explaining it. This way all user data is clearly seperated from the rest of the command and will be treated as a litteral string rather than a command. Stopping SQL injection.

$sql="SELECT * FROM users WHERE username = '{$_REQUEST['username']}' AND password = '{$_REQUEST['password']}";

Write query in such format will avoid sql injection.

    $sql = 'SELECT * FROM users WHERE username = ? AND password = ?';
    $query = $db->prepare($sql);
    $query->bindParam(1, $_REQUEST['username']);
    $query->bindParam(2, $_REQUEST['password']);

Or pass the parameter to mysql_real_escape_string function and then pass to queries.

$username=mysql_real_escape_string($_REQUEST['username']);
$password=mysql_real_escape_string($_REQUEST['password']);

链接地址: http://www.djcxy.com/p/93790.html

上一篇: PDO准备好的声明有多安全？

下一篇: 在系统中防止SQL注入