ROBOT.LK

SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.

Details
Databases are fundamental components of Web applications. Databases enable Web applications to store data, preferences and content elements. Using SQL, Web applications interact with databases to dynamically build customized data views for each user. A common example is a Web application that manages products. In one of the Web application's dynamic pages (such as ASP), users are able to enter a product identifier and view the product name and description. The request sent to the database to retrieve the product's name and description is implemented by the following SQL statement. Typically, Web applications use string queries, where the string contains both the query itself and its parameters. The string is built using server-side script languages such as ASP, JSP and CGI, and is then sent to the database server as a single SQL statement. The following example demonstrates an ASP code that generates a SQL query. The call Request.QueryString("ProductID") extracts the value of the Web form variable ProductID so that it can be appended as the SELECT condition.

When a user enters the following URL: The corresponding SQL query is executed: An attacker may abuse the fact that the ProductID parameter is passed to the database without sufficient validation. The attacker can manipulate the parameter's value to build malicious SQL statements. For example, setting the value "123 OR 1=1" to the ProductID variable results in the following URL: The corresponding SQL Statement is: This condition would always be true and all ProductName and ProductDescription pairs are returned. The attacker can manipulate the application even further by inserting malicious commands. For example, an attacker can request the following URL: In this example the semicolon is used to pass the database server multiple statements in a single execution. The second statement is "DROP TABLE Products" which causes SQL Server to delete the entire Products table.

An attacker may use SQL injection to retrieve data from other tables as well. This can be done using the SQL UNION SELECT statement. The UNION SELECT statement allows the chaining of two separate SQL SELECT queries that have nothing in common. For example, consider the following SQL query: The result of this query is a table with two columns, containing the results of the first and second queries, respectively. An attacker may use this type of SQL injection by requesting the following URL: The security model used by many Web applications assumes that an SQL query is a trusted command. This enables attackers to exploit SQL queries to circumvent access controls, authentication and authorization checks. In some instances, SQL queries may allow access to host operating system level commands. This can be done using stored procedures. Stored procedures are SQL procedures usually bundled with the database server. For example, the extended stored procedure xp_cmdshell executes operating system commands in the context of a Microsoft SQL Server. Using the same example, the attacker can set the value of ProductID to be "123;EXROBOT.LK master..xp_cmdshell dir--", which returns the list of files in the current directory of the SQL Server process.

Prevention
The most common way of detecting SQL injection attacks is by looking for SQL signatures in the incoming HTTP stream. For example, looking for SQL commands such as UNION, SELECT or xp_. The problem with this approach is the very high rate of false positives. Most SQL commands are legitimate words that could normally appear in the incoming HTTP stream. This will eventually case the user to either disable or ignore any SQL alert reported. In order to overcome this problem to some extent, the product must learn where it should and shouldn't expect SQL signatures to appear. The ability to discern parameter values from the entire HTTP request and the ability to handle various encoding scenarios are a must in this case.

Read more at http://en.wikipedia.org/wiki/SQL_injection

Howto stop these in php?

[ Post made via Mobile Device ]

The definition for trim says this.

trim — Strip whitespace (or other characters) from the beginning and end of a string

So it can't remove whitespaces that are within the string. So this is not much use.

User can still enter something like mypass1' OR 1=1 for password to do SQL Injection. In this way user can enter to the system.

When you store the password_hash instead password, see what it does below. So all whitespaces that are in the user input will be discarded.

Do you get the point?

already I'm using it.

[ Post made via Mobile Device ]

Hey, you edited your post. Where is 'trim' thing you asked me earlier?

Sorry, I edited it before your reply. but you have replied to old one. Becaue we have done it at same time.

[ Post made via Mobile Device ]

Yes!

I recorded everythings witch hackers do on my site.

I learned a main trick. but I can't understand How it works.

If I paste below at the start of my php, it add this email as every users' email.

$_SERVER['HTTP_USER_AGENT']="',email='[email protected]'#";

Please anyone explain it.

[ Post made via Mobile Device ]

Ok. I found how it works.

there is a function like below in my script.

And I debuged it as below. Thankz.

[ Post made via Mobile Device ]

$_SERVER['HTTP_USER_AGENT'] is used to return the contents of the User-Agent.

This returns something like below. Now, From this function, $ubr becomes something like Mozilla/4.5.

I don't understand the code from there onwards due to lack of variables including $uid.

Hope this helps!

This stores the browser of user. $uid is user's id.


thankz.

[ Post made via Mobile Device ]