How do I demonstrate a Second Order SQL Injection?

Question

So I\'ve been trying to replicate a second order SQL Injection. Here\'s an example template of two php based sites that I\'ve prepared. Let\'s just call it a voter registrat

Answer 1

What is there to demonstrate?

Second order SQL injection is nothing more than SQL injection, but the unsafe code isn't the first line.

So, to demonstrate:

1) Create a SQL injection string that would do something unwanted when executed without escaping.

2) Store that string safely in your DB (with escaping).

3) Let some other piece of your code FETCH that string, and use it elsewhere without escaping.

EDIT: Added some examplecode:

A table:

CREATE TABLE tblUsers (
  userId serial PRIMARY KEY,
  firstName TEXT
)

Suppose you have some SAFE code like this, receiving firstname from a form:

$firstname = someEscapeFunction($_POST["firstname"]);

$SQL = "INSERT INTO tblUsers (firstname) VALUES ('{$firstname }');";
someConnection->execute($SQL);

So far, so good, assuming that someEscapeFunction() does a fine job. It isn't possible to inject SQL.

If I would send as a value for firstname the following line, you wouldn't mind:

bla'); DELETE FROM tblUsers; //

Now, suppose somebody on the same system wants to transport firstName from tblUsers to tblWhatever, and does that like this:

$userid = 42;
$SQL = "SELECT firstname FROM tblUsers WHERE (userId={$userid})";
$RS = con->fetchAll($SQL);
$firstName = $RS[0]["firstName"];

And then inserts it into tblWhatever without escaping:

$SQL = "INSERT INTO tblWhatever (firstName) VALUES ('{$firstName}');";

Now, if firstname contains some deletecommand it will still be executed.