473,583 Members | 3,424 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

sql injection on my own web server

15 New Member
i've installed xampp on my pc..
Can I do sql injection on my own web server? (I've read some articles & tried it but I couldn't do sql injection, dunno why)
Anyone can help me?
Sep 17 '08 #1
11 1687
Markus
6,050 Recognized Expert Expert
I don't quite understand the point of this..

You wish to do sql injection on your local machine?

One question: Why?
Sep 17 '08 #2
Atli
5,058 Recognized Expert Expert
Yea, I would have to agree with Markus. This does seem somewhat pointless.
One usually aims to prevent SQL injection.

Are you looking for tips on how to actually do SQL Injection, because that would violate our posting guidelines.
Sep 17 '08 #3
bnashenas1984
258 Contributor
If it was possible to do SQL injection on any script there would be no server left on the earth (thanks to the hackers)

Only scripts written by beginers have this vulnerability.
If you filter invalid charecters like ", ' before posting your query then you can stop any SQL injection attacks
Sep 17 '08 #4
icesh
15 New Member
oughh,, the reason?
I'm just curious,, I've read some articles, if we want to secure our web from sql injection, we should use real escape string.. but, why do we need to use those if our web can't be injected..?
Sep 18 '08 #5
Markus
6,050 Recognized Expert Expert
oughh,, the reason?
I'm just curious,, I've read some articles, if we want to secure our web from sql injection, we should use real escape string.. but, why do we need to use those if our web can't be injected..?
Curiosity killed the cat.

SQL Injection does work; I can only assume you weren't doing it right.

Have a look at this.
Sep 18 '08 #6
icesh
15 New Member
Hmm.. I still can't do it..

Expand|Select|Wrap|Line Numbers
  1. <?php
  2.  
  3.     $mysql_host = "localhost";
  4.     $mysql_user = "root";
  5.     $mysql_pass = "";
  6.     $mysql_db = "kp";
  7.     $konek = mysql_connect($mysql_host,$mysql_user,$mysql_pass);
  8.     if(!$konek) die(mysql_error());
  9.     $pilihdb = mysql_select_db($mysql_db,$konek);
  10.     if(!$pilihdb) die(mysql_error());
  11.  
  12.     $namatim = $_POST['namatim'];
  13.     $password = $_POST['password'];
  14.  
  15.     $query = mysql_query("select * from peserta where namatim = '$namatim' and password = '$password'");
  16.     $row = mysql_fetch_array($query);
  17.  
  18.     echo $password;
  19.  
  20.     mysql_close($konek);
  21.  
  22. ?>
  23.  
  24.  
  25.     <form name='form1' method='post' action='cobalg.php'>
  26.             <table width='80%' border='0' align='center' cellpadding='2' cellspacing='2'>
  27.                     <tr align='left'>
  28.                             <td>Nama Tim</td>
  29.                             <td><input type='text' name='namatim'></td>
  30.                     </tr>
  31.                     <tr align='left'>
  32.                             <td>Password</td>
  33.                             <td><input type='password' name='password'></td>
  34.                     </tr>
  35.                     <tr>
  36.                             <td align='right'>&nbsp;</td>
  37.                             <td align='left'>&nbsp;</td>
  38.                     </tr>
  39.                     <tr>
  40.                             <td align='right'><input type='submit' value='Login' name='login'></td>
  41.                             <td align='left'><input type='reset' value='Reset'></td>
  42.                     </tr>
  43.             </table>
  44.     </form>
  45.  
  46.  
when i entered ' or '1'='1 as the password & echoed it,,
it became: \' or \'1\'=\'1
why was this happened? i don't even use mysql_real_esca pe_string() ?
did i do something wrong?
Sep 18 '08 #7
Atli
5,058 Recognized Expert Expert
You probably have Magic Quotes turned on. That would automatically escape user input.

If you just use mysqli_real_esc ape_string then you will be protected against SQL injection. It should escape any character that could be interpreted as anything but a input data, like quote-marks.
Sep 18 '08 #8
icesh
15 New Member
lol,, so it's because of the magic quotes.. I see.. ^^
Now my question is,, do we still need to use mysql_real_esca pe_string?
Isn't magic quotes safe enough?
Sep 18 '08 #9
FLEB
30 New Member
Isn't magic quotes safe enough?
It's always better to be explicit. Magic Quotes is a PHP option that escapes input strings before they are passed to your PHP script. However, this feature can be turned off (and a script that depends upon Magic Quotes will most likely work the same, just have more security holes).

It's better to turn off Magic Quotes and explicitly escape strings yourself. It assures that you're escaping everything you intend to, and assures that the script will remain secure if it runs in an environment where Magic Quotes are turned off.
Sep 18 '08 #10

Sign in to post your reply or Sign up for a free account.

Similar topics

11
2615
by: Bă§TăRĐ | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I just personally rewrote/reformatted close to 150 of them myself. Nothing too fancy, mostly a lot of formatting. We have a little down time between Q/A...
7
1727
by: joshsackett | last post by:
All, I am trying to test an attack against a web page. The VBScript runs 2 queries against the database; the first must succeed before the second runs. Here is the code: 1st- select * from users where (userid=' + @string + ') and password=' + @pwdstring + ' 2nd-
10
23898
by: bregent | last post by:
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form injection attacks? I'm looking for good routines I can reuse on all of my form processing pages. Thanks.
8
3705
by: stirrell | last post by:
Hello, One problem that I had been having is stopping email injections on contact forms. I did some research, read up on it and felt like I had created a working solution. I hadn't gotten any suspicious bouncebacks in quite some time and got many custom alerts I had set up for notifying me of injection attempts. However, just the other day,...
29
2099
by: sinbuzz | last post by:
Hi, I'm curious about the best way to avoid SQL Injection attacks against my web server. Currently I'm on IIS. I might be willing to switch to something like Apache but I'm not sure if SQL Injection is is a generic enough of an attack to cause me worries once I make the
3
5414
by: =?Utf-8?B?Um9kbmV5IFZpYW5h?= | last post by:
IIS 6 SQL Injection Sanitation ISAPI Wildcard at http://www.codeplex.com/IIS6SQLInjection I created an ISAPI dll application to prevent SQL Injection attempts by intercepting the HTTP requests and sanitizing both GET and POST variables (or any combination of both) before the request reaches the intended code. This is especially useful for...
2
4308
by: Jerry Winston | last post by:
We all know SQL injection attacks can easily get break SQL command strings concatenated with unsanitized user input fields: set commandObj = Server.CreateObject("ADODB.Connection") set rs = Server.CreateObject("ADODB.Recordset") commandObj.ConnectionString = myGenericConnectionString commandObj.Open sqlCMD ="INSERT INTO myTable...
7
1619
by: Cirene | last post by:
I am using formview controls to insert/update info into my tables. I'm worried about SQL injection. How do you recommend I overcome this issue? In the past I've called a custom cleanup routine like this: Public Function CleanUpText(ByVal TextToClean As String) As String TextToClean = TextToClean.Replace(";", ".") TextToClean =...
2
1897
by: Brian Bozarth | last post by:
This is weird, I'm pretty familiar with SQL Injection - but we're getting these weird injection that is writing in the default document or home page. What it's doing is putting in script code at the top or bottom of the home page... it looks something like this: <script>function xy1q4877d47d91a36(q4877d47d92209){ function q4877d47d929d5 ()...
22
2634
by: Voodoo Jai | last post by:
I have a page the uses a form to pass a postcode to another page and I want to test it against an SQL Injection. What would be a safe (i.e NO DELETING of data ) statement to try and how would I format this to try in the form. I have limited the field to 10 chars so I know i would have to test it with a larger field because a hacker could just...
0
7893
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7821
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
1
7928
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
8188
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
6574
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
1
5695
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
3813
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
3839
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1422
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.