Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

SQL injection on a search The way Search performs its task is by executing the f

ID: 3784789 • Letter: S

Question

SQL injection on a search

The way Search performs its task is by executing the following query (in a php script):

         $var=stripslashes($_POST['search']);
         $query = "SELECT username from lab1_login where username ='".$var."'";

The structure of the database table that is maintained by the webservice and on which this query runs is as follows:

mysql> desc lab1_login;

Field

Type

Null

Key

Default

Extra

uid            

int(11)  

NO

PRI

auto_increment

username

varchar(255)

YES

password

varchar(255)

YES

Your task is to now perform a SQL Injection attack in the "Search for users" box such that it prints out all the usernames and passwords.   

Field

Type

Null

Key

Default

Extra

uid            

int(11)  

NO

PRI

auto_increment

username

varchar(255)

YES

password

varchar(255)

YES

Explanation / Answer

Hi,

An SQL injection is a malicious activity that injects into sql and get the whole data. For this, I assume that Search for users input box asks us to give username. So, let's start by giving this "1729 OR 1=1". This is a basic query which will tend to give the whole rows in the table. Let's try to debug it from the PHP.

When we enter that in the input box and clicked on submit, it will go as a argument in POST request. Here, the name of argument is search.

$var=stripslashes($_POST['search']);

as in the above line, $_POST['search'] will give the "1729 OR 1=1". Then, stripslashes("1729 OR 1=1"), there are no slashes. so, finally $var="1729 OR 1=1".

$query = "SELECT username from lab1_login where username ='".$var."'";

The next line is constructing an sql query, so here $var will be subtituted. So, $query becomes SELECT username from lab1_login where username='1729 OR 1=1';

when we execute that query, it will go to the sql engine, it translate the query, in the condition 1=1 is True, so whatever be the username we pass it is True for all, then it will fetches the information for all cases.

Here's a sample output from my local mysql.

mysql> select username from users where username=105 or 1=1;
+----------+
| username |
+----------+
|      123 |
|     1234 |
|     1235 |
|     1245 |
+----------+
4 rows in set (0.01 sec)

Related Questions

SQL Query of following table: Tables are in attached images: 1. List the details
Question #3560164
SQL Query on Multiple Tables—JOIN 1. Display employee number, first name, middle
Question #3736856
SQL Query question... Hi, hope someone can help with this I have a table called
Question #3731807
SQL Question - it\'s a basic one, but I need some help. I have to write raw SQL
Question #647171
SQL Question 5 Examine the table below and write the SQL command that will displ
Question #3745320
SQL Question; CREATE TABLE department (DEPARTMENT_ID NUMBER (4) PRIMARY KEY, DEP
Question #3859771
SQL Review Exercise Spring 2015 Given a company database schemas as below: EMPLO
Question #638852
SQL SERVER 2014 You think you finally have established the rules for determining
Question #3770034

Navigate

Previous
SQL injection attacks are not a new type of attack. In fact, they are a fairly o
Next
SQL injection tips/warnings: =T-SQL injection warnings or tips found on the Micr

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.