Can anyone see if there is any SQL injection vulnerability in the following code? Thanks

Question

0.00/5 (No votes)

See more:

<?php
$loc_id = $_GET['location'];

$query = "SELECT * from locations where ID = '$loc_id'";

if (!$mysqli ->query($query)) {
              printf("Error: %s\n", $mysqli->error);
#              print_r($query);
           }
if ($result = $mysqli ->query($query)) {

         /* fetch associative array */
         while ($row = $result ->fetch_assoc()) {
             printf ("%s %s\n", $row["ID"], $row["City"]);

}
?>

What I have tried:

<?php
$loc_id = $_GET['location'];

$query = "SELECT * from locations where ID = '$loc_id'";

if (!$mysqli ->query($query)) {
              printf("Error: %s\n", $mysqli->error);
#              print_r($query);
           }
if ($result = $mysqli ->query($query)) {

         /* fetch associative array */
         while ($row = $result ->fetch_assoc()) {
             printf ("%s %s\n", $row["ID"], $row["City"]);

}
?>

Posted 19-Mar-17 6:18am

jattboyfrompunjab

Updated 12-Jul-18 13:31pm

Add a Solution

Comments

Bryian Tan 19-Mar-17 14:08pm

Yes there is. Let make it simple, I can provide you an example but I need to know how many columns you have in locations table?

Member 13909527 12-Jul-18 17:27pm

There are three columns.

Member 13909527 12-Jul-18 17:27pm

How would you perform a SQL injection attack here? There is a search function and the URL reads website.com/index.php/check-availability/?location=1.

Bryian Tan 12-Jul-18 22:44pm

refer to solution 2

Member 13909527 13-Jul-18 10:17am

I am very new to this and am trying to learn, so please forgive my ignorance. If you only have access to the front end of the website, which includes a drop down, search box and website bar, what would you type in to force an error?

Member 13909527 17-Jul-18 11:27am

I am specifically looking for an error that produces the tables.

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Dave Kreskowiak · Answer 1 · 2017-03-19T08:00:00

Uhhh, if you can't see the SQL Injection problem in that code, and it's glaringly obvious, you REALLY need to read up on SQL Injection attacks. Google for "SQL Injection attack" and "PHP SQL Injection attack" and start reading.

Yeah, you're taking a value from the web page, NOT VALIDATING IT AT ALL, and then using string concatenation to build the SQL query using that "value". Yeah, that's vulnerable.

You also don't use any kind of parameters in the query and your code.

Bryian Tan · Answer 2 · 2017-03-19T12:20:00

The code is vulnerable to SQL injection. Here is an example. The query will display all the table name in the database. The single quote is to complete the initial query, the union is use to append the result into the first query and the %23 (#) to escape the single quote.

HTML

location=whatever' UNION SELECT distinct TABLE_NAME, TABLE_TYPE,1 from information_schema.tables %23

You can run this query directly in MySQL to see the behavior. I don't know how many columns you have in location table, you can append 1 into the union query until the number of columns match locations table.

SQL

SELECT * from locations where ID = 'whatever' UNION SELECT distinct TABLE_NAME, TABLE_TYPE,1 from information_schema.tables #'

You should follow the suggestion from @Dave Kreskowiak, sanitize/validate the user input before executing it. Remember, never trust the user input.

You can also use the mysqli_real_escape_string function to escape the special characters.

SQL

$loc_id = mysqli_real_escape_string($mysqli, $_GET['location']);

PHP: mysqli::real_escape_string - Manual[^]
PHP mysqli_real_escape_string() Function[^]

Here are different variants of the SQL Injection vulnerability.
SQL Injection Cheat Sheet | Netsparker[^]

Addtional reading
The Hitchhiker's Guide to SQL Injection prevention[^]

ghinckley68 · Answer 3 · 2018-07-12T13:32:00

its not php but should be easy enough to make into php

    'Defines the set of characters that will be checked.
    'You can add to this list, or remove items from this list, as appropriate for your site
    Public Shared SQLblackList As String() = {"--", ";--", ";", "/*", "*/", "@@", _
                                           "@", "char", "nchar", "varchar", "nvarchar", "alter", _
                                           "begin", "cast", "create", "cursor", "declare", "delete", _
                                           "drop", "exec", "execute", "fetch", "insert", _
                                           "kill", "open", "shutdown", "sys", "sysobjects", "syscolumns", _
                                           "table", "update"}

    Public Shared JAVAblackList As String() = {"--", ";--", ";", "/*", "*/", "@@", _
                                           "@", "char", "nchar", "varchar", "nvarchar", "alter", _
                                           "begin", "cast", "create", "cursor", "declare", "delete", _
                                           "drop", "exec", "execute", "fetch", "insert", _
                                           "kill", "open", "select", "shutdown", "sys", "sysobjects", "syscolumns", _
                                           "table", "update"}

    Public Shared VBCSblackList As String() = {"--", ";--", ";", "/*", "*/", "@@", _
                                   "@", "char", "nchar", "varchar", "nvarchar", "alter", _
                                   "begin", "cast", "create", "cursor", "declare", "delete", _
                                   "drop", "end", "exec", "execute", "fetch", "insert", _
                                   "kill", "open", "select", "shutdown", "sys", "sysobjects", "syscolumns", _
                                   "table", "update"}


    'For each incoming request, check the query-string, form and cookie values for suspicious values.
    '   Private Sub app_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
    'Dim Request As HttpRequest = TryCast(sender, HttpApplication).Context.Request

    '   For Each key As String In Request.QueryString
    '     CheckInput(Request.QueryString(key))
    '  Next
    'For Each key As String In Request.Form
    '   CheckInput(Request.Form(key))
    ' Next
    ' For Each key As String In Request.Cookies
    '     CheckInput(Request.Cookies(key).Value)
    ' Next
    ' End Sub
    '
    'The utility method that performs the blacklist comparisons
    'You can change the error handling, and error redirect location to whatever makes sense for your site.
    Public Function CheckInput(ByVal parameter As String) As Integer
        _KEY_WORDLIST = String.Empty

        Dim iReturn As Integer = 0

        For i As Integer = 0 To SQLblackList.Length - 1

            If (parameter.IndexOf(SQLblackList(i), StringComparison.OrdinalIgnoreCase) >= 0) Then

                _KEY_WORDLIST = _KEY_WORDLIST + "  " + SQLblackList(i)

                iReturn = 1
            End If
        Next

        Return iReturn

    End Function



End Class

Can anyone see if there is any SQL injection vulnerability in the following code? Thanks

3 solutions

Solution 1

Solution 2

Solution 4

Add your solution here

Preview 0