473,324 Members | 2,473 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,324 software developers and data experts.

sql injection on my own web server

15
i've installed xampp on my pc..
Can I do sql injection on my own web server? (I've read some articles & tried it but I couldn't do sql injection, dunno why)
Anyone can help me?
Sep 17 '08 #1
11 1675
Markus
6,050 Expert 4TB
I don't quite understand the point of this..

You wish to do sql injection on your local machine?

One question: Why?
Sep 17 '08 #2
Atli
5,058 Expert 4TB
Yea, I would have to agree with Markus. This does seem somewhat pointless.
One usually aims to prevent SQL injection.

Are you looking for tips on how to actually do SQL Injection, because that would violate our posting guidelines.
Sep 17 '08 #3
bnashenas1984
258 100+
If it was possible to do SQL injection on any script there would be no server left on the earth (thanks to the hackers)

Only scripts written by beginers have this vulnerability.
If you filter invalid charecters like ", ' before posting your query then you can stop any SQL injection attacks
Sep 17 '08 #4
icesh
15
oughh,, the reason?
I'm just curious,, I've read some articles, if we want to secure our web from sql injection, we should use real escape string.. but, why do we need to use those if our web can't be injected..?
Sep 18 '08 #5
Markus
6,050 Expert 4TB
oughh,, the reason?
I'm just curious,, I've read some articles, if we want to secure our web from sql injection, we should use real escape string.. but, why do we need to use those if our web can't be injected..?
Curiosity killed the cat.

SQL Injection does work; I can only assume you weren't doing it right.

Have a look at this.
Sep 18 '08 #6
icesh
15
Hmm.. I still can't do it..

Expand|Select|Wrap|Line Numbers
  1. <?php
  2.  
  3.     $mysql_host = "localhost";
  4.     $mysql_user = "root";
  5.     $mysql_pass = "";
  6.     $mysql_db = "kp";
  7.     $konek = mysql_connect($mysql_host,$mysql_user,$mysql_pass);
  8.     if(!$konek) die(mysql_error());
  9.     $pilihdb = mysql_select_db($mysql_db,$konek);
  10.     if(!$pilihdb) die(mysql_error());
  11.  
  12.     $namatim = $_POST['namatim'];
  13.     $password = $_POST['password'];
  14.  
  15.     $query = mysql_query("select * from peserta where namatim = '$namatim' and password = '$password'");
  16.     $row = mysql_fetch_array($query);
  17.  
  18.     echo $password;
  19.  
  20.     mysql_close($konek);
  21.  
  22. ?>
  23.  
  24.  
  25.     <form name='form1' method='post' action='cobalg.php'>
  26.             <table width='80%' border='0' align='center' cellpadding='2' cellspacing='2'>
  27.                     <tr align='left'>
  28.                             <td>Nama Tim</td>
  29.                             <td><input type='text' name='namatim'></td>
  30.                     </tr>
  31.                     <tr align='left'>
  32.                             <td>Password</td>
  33.                             <td><input type='password' name='password'></td>
  34.                     </tr>
  35.                     <tr>
  36.                             <td align='right'>&nbsp;</td>
  37.                             <td align='left'>&nbsp;</td>
  38.                     </tr>
  39.                     <tr>
  40.                             <td align='right'><input type='submit' value='Login' name='login'></td>
  41.                             <td align='left'><input type='reset' value='Reset'></td>
  42.                     </tr>
  43.             </table>
  44.     </form>
  45.  
  46.  
when i entered ' or '1'='1 as the password & echoed it,,
it became: \' or \'1\'=\'1
why was this happened? i don't even use mysql_real_escape_string() ?
did i do something wrong?
Sep 18 '08 #7
Atli
5,058 Expert 4TB
You probably have Magic Quotes turned on. That would automatically escape user input.

If you just use mysqli_real_escape_string then you will be protected against SQL injection. It should escape any character that could be interpreted as anything but a input data, like quote-marks.
Sep 18 '08 #8
icesh
15
lol,, so it's because of the magic quotes.. I see.. ^^
Now my question is,, do we still need to use mysql_real_escape_string?
Isn't magic quotes safe enough?
Sep 18 '08 #9
FLEB
30
Isn't magic quotes safe enough?
It's always better to be explicit. Magic Quotes is a PHP option that escapes input strings before they are passed to your PHP script. However, this feature can be turned off (and a script that depends upon Magic Quotes will most likely work the same, just have more security holes).

It's better to turn off Magic Quotes and explicitly escape strings yourself. It assures that you're escaping everything you intend to, and assures that the script will remain secure if it runs in an environment where Magic Quotes are turned off.
Sep 18 '08 #10
pbmods
5,821 Expert 4TB
Just to add to that, magic_quotes builds bad habits because you learn *not* to escape values before sending them out.

This is one of the reasons why register_globals was also turned off by default in PHP 4.2 and will be removed from PHP 6 (http://php.net/register_globals).
Sep 18 '08 #11
icesh
15
thx all,, all of my questions have been answered..
this thread can be closed..
Thx for everyone
Sep 19 '08 #12

Sign in to post your reply or Sign up for a free account.

Similar topics

11
by: Bã§TãRÐ | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I...
7
by: joshsackett | last post by:
All, I am trying to test an attack against a web page. The VBScript runs 2 queries against the database; the first must succeed before the second runs. Here is the code: 1st- select * from...
10
by: bregent | last post by:
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form...
8
by: stirrell | last post by:
Hello, One problem that I had been having is stopping email injections on contact forms. I did some research, read up on it and felt like I had created a working solution. I hadn't gotten any...
29
by: sinbuzz | last post by:
Hi, I'm curious about the best way to avoid SQL Injection attacks against my web server. Currently I'm on IIS. I might be willing to switch to something like Apache but I'm not sure if SQL...
3
by: =?Utf-8?B?Um9kbmV5IFZpYW5h?= | last post by:
IIS 6 SQL Injection Sanitation ISAPI Wildcard at http://www.codeplex.com/IIS6SQLInjection I created an ISAPI dll application to prevent SQL Injection attempts by intercepting the HTTP requests...
2
by: Jerry Winston | last post by:
We all know SQL injection attacks can easily get break SQL command strings concatenated with unsanitized user input fields: set commandObj = Server.CreateObject("ADODB.Connection") set rs =...
7
by: Cirene | last post by:
I am using formview controls to insert/update info into my tables. I'm worried about SQL injection. How do you recommend I overcome this issue? In the past I've called a custom cleanup...
2
by: Brian Bozarth | last post by:
This is weird, I'm pretty familiar with SQL Injection - but we're getting these weird injection that is writing in the default document or home page. What it's doing is putting in script code at...
22
by: Voodoo Jai | last post by:
I have a page the uses a form to pass a postcode to another page and I want to test it against an SQL Injection. What would be a safe (i.e NO DELETING of data ) statement to try and how would I...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.