sql injection on my own web server

**Markus** · Sep 17 '08, 04:57 PM

I don't quite understand the point of this..

You wish to do sql injection on your local machine?

One question: Why?

**Atli** · Sep 17 '08, 07:51 PM

Yea, I would have to agree with Markus. This does seem somewhat pointless.
One usually aims to prevent SQL injection.

Are you looking for tips on how to actually do SQL Injection, because that would violate our posting guidelines.

**bnashenas1984** · Sep 17 '08, 07:52 PM

If it was possible to do SQL injection on any script there would be no server left on the earth (thanks to the hackers)

Only scripts written by beginers have this vulnerability.
If you filter invalid charecters like ", ' before posting your query then you can stop any SQL injection attacks

**icesh** · Sep 18 '08, 09:44 AM

oughh,, the reason?
I'm just curious,, I've read some articles, if we want to secure our web from sql injection, we should use real escape string.. but, why do we need to use those if our web can't be injected..?

**Markus** · Sep 18 '08, 10:40 AM

Originally posted by icesh

oughh,, the reason?
I'm just curious,, I've read some articles, if we want to secure our web from sql injection, we should use real escape string.. but, why do we need to use those if our web can't be injected..?

Curiosity killed the cat.

SQL Injection does work; I can only assume you weren't doing it right.

Have a look at this.

**icesh** · Sep 18 '08, 04:04 PM

Hmm.. I still can't do it..

Code:

<?php

	$mysql_host = "localhost";
	$mysql_user = "root";
	$mysql_pass = "";
	$mysql_db = "kp";
	$konek = mysql_connect($mysql_host,$mysql_user,$mysql_pass);
	if(!$konek) die(mysql_error());
	$pilihdb = mysql_select_db($mysql_db,$konek);
	if(!$pilihdb) die(mysql_error());

	$namatim = $_POST['namatim'];
	$password = $_POST['password'];

	$query = mysql_query("select * from peserta where namatim = '$namatim' and password = '$password'");
	$row = mysql_fetch_array($query);

	echo $password;

	mysql_close($konek);

?>


	<form name='form1' method='post' action='cobalg.php'>
			<table width='80%' border='0' align='center' cellpadding='2' cellspacing='2'>
					<tr align='left'>
							<td>Nama Tim</td>
							<td><input type='text' name='namatim'></td>
					</tr>
					<tr align='left'>
							<td>Password</td>
							<td><input type='password' name='password'></td>
					</tr>
					<tr>
							<td align='right'>&nbsp;</td>
							<td align='left'>&nbsp;</td>
					</tr>
					<tr>
							<td align='right'><input type='submit' value='Login' name='login'></td>
							<td align='left'><input type='reset' value='Reset'></td>
					</tr>
			</table>
	</form>

when i entered ' or '1'='1 as the password & echoed it,,
it became: \' or \'1\'=\'1
why was this happened? i don't even use mysql_real_esca pe_string() ?
did i do something wrong?

**Atli** · Sep 18 '08, 04:20 PM

You probably have Magic Quotes turned on. That would automatically escape user input.

If you just use mysqli_real_esc ape_string then you will be protected against SQL injection. It should escape any character that could be interpreted as anything but a input data, like quote-marks.

**icesh** · Sep 18 '08, 04:44 PM

lol,, so it's because of the magic quotes.. I see.. ^^
Now my question is,, do we still need to use mysql_real_esca pe_string?
Isn't magic quotes safe enough?

**FLEB** · Sep 18 '08, 06:44 PM

Originally posted by icesh

Isn't magic quotes safe enough?

It's always better to be explicit. Magic Quotes is a PHP option that escapes input strings before they are passed to your PHP script. However, this feature can be turned off (and a script that depends upon Magic Quotes will most likely work the same, just have more security holes).

It's better to turn off Magic Quotes and explicitly escape strings yourself. It assures that you're escaping everything you intend to, and assures that the script will remain secure if it runs in an environment where Magic Quotes are turned off.

**pbmods** · Sep 18 '08, 10:48 PM

Just to add to that, magic_quotes builds bad habits because you learn *not* to escape values before sending them out.

This is one of the reasons why register_global s was also turned off by default in PHP 4.2 and will be removed from PHP 6 (http://php.net/register_globals).

**icesh** · Sep 19 '08, 05:18 AM

thx all,, all of my questions have been answered..
this thread can be closed..
Thx for everyone

sql injection on my own web server

sql injection on my own web server

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment