By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,521 Members | 1,460 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,521 IT Pros & Developers. It's quick & easy.

sql injection on my own web server

P: 15
i've installed xampp on my pc..
Can I do sql injection on my own web server? (I've read some articles & tried it but I couldn't do sql injection, dunno why)
Anyone can help me?
Sep 17 '08 #1
Share this Question
Share on Google+
11 Replies


Markus
Expert 5K+
P: 6,050
I don't quite understand the point of this..

You wish to do sql injection on your local machine?

One question: Why?
Sep 17 '08 #2

Atli
Expert 5K+
P: 5,058
Yea, I would have to agree with Markus. This does seem somewhat pointless.
One usually aims to prevent SQL injection.

Are you looking for tips on how to actually do SQL Injection, because that would violate our posting guidelines.
Sep 17 '08 #3

100+
P: 258
If it was possible to do SQL injection on any script there would be no server left on the earth (thanks to the hackers)

Only scripts written by beginers have this vulnerability.
If you filter invalid charecters like ", ' before posting your query then you can stop any SQL injection attacks
Sep 17 '08 #4

P: 15
oughh,, the reason?
I'm just curious,, I've read some articles, if we want to secure our web from sql injection, we should use real escape string.. but, why do we need to use those if our web can't be injected..?
Sep 18 '08 #5

Markus
Expert 5K+
P: 6,050
oughh,, the reason?
I'm just curious,, I've read some articles, if we want to secure our web from sql injection, we should use real escape string.. but, why do we need to use those if our web can't be injected..?
Curiosity killed the cat.

SQL Injection does work; I can only assume you weren't doing it right.

Have a look at this.
Sep 18 '08 #6

P: 15
Hmm.. I still can't do it..

Expand|Select|Wrap|Line Numbers
  1. <?php
  2.  
  3.     $mysql_host = "localhost";
  4.     $mysql_user = "root";
  5.     $mysql_pass = "";
  6.     $mysql_db = "kp";
  7.     $konek = mysql_connect($mysql_host,$mysql_user,$mysql_pass);
  8.     if(!$konek) die(mysql_error());
  9.     $pilihdb = mysql_select_db($mysql_db,$konek);
  10.     if(!$pilihdb) die(mysql_error());
  11.  
  12.     $namatim = $_POST['namatim'];
  13.     $password = $_POST['password'];
  14.  
  15.     $query = mysql_query("select * from peserta where namatim = '$namatim' and password = '$password'");
  16.     $row = mysql_fetch_array($query);
  17.  
  18.     echo $password;
  19.  
  20.     mysql_close($konek);
  21.  
  22. ?>
  23.  
  24.  
  25.     <form name='form1' method='post' action='cobalg.php'>
  26.             <table width='80%' border='0' align='center' cellpadding='2' cellspacing='2'>
  27.                     <tr align='left'>
  28.                             <td>Nama Tim</td>
  29.                             <td><input type='text' name='namatim'></td>
  30.                     </tr>
  31.                     <tr align='left'>
  32.                             <td>Password</td>
  33.                             <td><input type='password' name='password'></td>
  34.                     </tr>
  35.                     <tr>
  36.                             <td align='right'>&nbsp;</td>
  37.                             <td align='left'>&nbsp;</td>
  38.                     </tr>
  39.                     <tr>
  40.                             <td align='right'><input type='submit' value='Login' name='login'></td>
  41.                             <td align='left'><input type='reset' value='Reset'></td>
  42.                     </tr>
  43.             </table>
  44.     </form>
  45.  
  46.  
when i entered ' or '1'='1 as the password & echoed it,,
it became: \' or \'1\'=\'1
why was this happened? i don't even use mysql_real_escape_string() ?
did i do something wrong?
Sep 18 '08 #7

Atli
Expert 5K+
P: 5,058
You probably have Magic Quotes turned on. That would automatically escape user input.

If you just use mysqli_real_escape_string then you will be protected against SQL injection. It should escape any character that could be interpreted as anything but a input data, like quote-marks.
Sep 18 '08 #8

P: 15
lol,, so it's because of the magic quotes.. I see.. ^^
Now my question is,, do we still need to use mysql_real_escape_string?
Isn't magic quotes safe enough?
Sep 18 '08 #9

FLEB
P: 30
Isn't magic quotes safe enough?
It's always better to be explicit. Magic Quotes is a PHP option that escapes input strings before they are passed to your PHP script. However, this feature can be turned off (and a script that depends upon Magic Quotes will most likely work the same, just have more security holes).

It's better to turn off Magic Quotes and explicitly escape strings yourself. It assures that you're escaping everything you intend to, and assures that the script will remain secure if it runs in an environment where Magic Quotes are turned off.
Sep 18 '08 #10

pbmods
Expert 5K+
P: 5,821
Just to add to that, magic_quotes builds bad habits because you learn *not* to escape values before sending them out.

This is one of the reasons why register_globals was also turned off by default in PHP 4.2 and will be removed from PHP 6 (http://php.net/register_globals).
Sep 18 '08 #11

P: 15
thx all,, all of my questions have been answered..
this thread can be closed..
Thx for everyone
Sep 19 '08 #12

Post your reply

Sign in to post your reply or Sign up for a free account.