Académique Documents
Professionnel Documents
Culture Documents
1. Introduction
works, and see how we can fix this vulnerability. We use PHP and MySQL for
the examples. The SQL injection is the top exploit used by hackers and is one
interfaces like web forms. These injected statements goes to the database
server behind a web application and may do unwanted actions like providing
SQL Injection attacks are one of the widest used, oldest, and very dangerous application
vulnerabilities. The OWASP organization (Open Web Application Security Project) lists SQL
Injections in their OWASP Top 10 document as the top threat to web application security.
1. <!DOCTYPE html>
2. <html>
3. <body>
4. <h2>SQL injection in web applications</h2>
5. <form action="/form-handler.php">
6. Username:<br>
7. <input type="text" name="username" value="">
8. <br>
9. Password:<br>
10. <input type="password" name="password" value="">
11. <br><br>
12. <input type="submit" value="Submit">
13. </form>
14. </body>
15. </html>
When we click on submit, the form above submits to below PHP script:
1. <?php
2.
3. mysql_connect('localhost', 'root', 'root');
4. mysql_select_db('bootsity');
5.
6. $username = $_POST["username"];
7. $password = $_POST["password"];
8. $query = "SELECT * FROM Users WHERE username = " . $username
. " AND password =" . $password;
9.
10. $re = mysql_query($query);
11.
12. if (mysql_num_rows($re) == 0) {
13. echo 'Not Logged In';
14. } else {
15. echo 'Logged In';
16. }
17. ?>
In the above example, assume that the user fills up the form as below:
This query always returns some rows and results in printing Logged In on the
browser. So, here the attacker doesn’t know any username or password that
are register in the database, but the attacker is still able to log in.
use prepared statements and parameterized queries, the SQL statements are
below:
1. <?php
2.
3. $dsn = "mysql:host=localhost;dbname=bootsity";
4. $user = "root";
5. $passwd = "root";
6.
7. $pdo = new PDO($dsn, $user, $passwd);
8.
9. $username = $_POST["username"];
10. $password = $_POST["password"];
11.
12. $stmt = $pdo->prepare('SELECT * FROM Users WHERE username =
:username AND password = :password');
13.
14. $stmt->bindParam(':username', $username);
15. $stmt->bindParam(':password', $password);
16.
17. $stmt->execute();
18.
19. if (count($stmt) == 0) {
20. echo 'Not Logged In';
21. } else {
22. echo 'Logged In';
23. }
24.
25. $stmt->close();
26. $pdo->close();
27. ?>
5.2 Using MySQLi (Only for MySQL)
We can also use MySQLi in our form-handler.php to fix the SQL Injection
issue:
1. <?php
2. $servername = "localhost";
3. $username = "root";
4. $password = "root";
5. $dbname = "bootsity";
6.
7. // Create connection
8. $conn = new mysqli($servername, $username, $password, $dbname);
9.
10. $username = $_POST["username"];
11. $password = $_POST["password"];
12.
13. // prepare and bind
14. $stmt = $conn->prepare('SELECT * FROM Users WHERE username = ?
AND password = ?');
15. $stmt->bind_param($username, $password);
16.
17. $stmt->execute();
18.
19. if (count($stmt) == 0) {
20. echo 'Not Logged In';
21. } else {
22. echo 'Logged In';
23. }
24.
25. $stmt->close();
26. $conn->close();
27. ?>
mostly depends on the creativity of the attacker. One other method that may
1. $username = getRequestString("UserId");
2. $query = "SELECT * FROM Users WHERE username = " + $username;
Then $query becomes SELECT * FROM Users WHERE username = 1; DROP TABLE
profiles;
permissions.
7. Conclusion
In this article, we learned what SQL Injection is and how we can avoid
loopholes in our web applications that may result in SQL injections attacks.
is available on Github for your practice. If you have any queries, or you want
to share more things related to SQL Injection, you may share in the