问题
I have some code like this which is open to SQL injection. We got hacked and now we fixed it. I just want to know what the inputs (username and password) must be in order to hack this code. I mean even if you input
username = something' OR 'x'='x
Then you can retrieve the password of the first user in the table regardless of the username. However, inside the if we check whether this password is correct. I am assuming the password was very easy (as easy as 123456) and the hacker made a brute-force from a dictionary. However I am wondering if there is another way to hack this code using some injection other than brute-forcing the password.
<?php
$username=$_POST['username'];
$password=$_POST['password'];
$result=runQuery("SELECT password FROM tbl_users WHERE username='".$username."''");
$row=mysql_fetch_array($result);
if($row['password']==$password){
-- do sth... create a cookie etc..
}
else{
--go to another page...
}
?>
回答1:
Use variable binding in PDO library.
回答2:
If hacker pass value:
$username = "' OR * OR '"
then query will be:
SELECT password FROM tbl_users WHERE username='' OR * OR ''; - this will be select any user.
But hacker can:
$username = "'; DELETE * FROM tbl_users WHERE username = * OR '";
SELECT password FROM tbl_users WHERE username = ''; DELETE * FROM tbl_users WHERE username = * OR '';
Or can made UPDATE to change any password.
Safety? mysql_real_escape_string or preg_match("/^[a-zA-Z0-9]{3,15}$/", $username), for example.
回答3:
Using boolean blind or time blind injection hacker can retrieve all the database structure.
Example:
username = 'admin' and if(1=1, sleep(10), 5222) #
This query gonna take 10 second to return and confirm that your condition is true or false. Using the information_schema and SQL condition test you can retrieve all databases information.
来源:https://stackoverflow.com/questions/18835803/hacking-php-code-with-sql-injection