Results 1 to 2 of 2

Thread: Is this error message an sql injection hole?

  1. May 13th, 2010, 12:49 AM #1
    jayfx
    jayfx is offline

    Thread Starter
    New Member
    Join Date
    May 2010
    Posts
    10

    Is this error message an sql injection hole?

    I have an error in my login form if I try to login with a username like ';drop table

    "Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request."

    Is this an indication of a hole?

    All the variables I caught with $_GET have been filtered with mysql_real_escape_string.
    Reply With Quote Reply With Quote
  2. May 13th, 2010, 05:08 AM #2
    kows
    kows is offline
    PowerPoster
    Join Date
    Sep 2003
    Location
    Edmonton, AB, Canada
    Posts
    2,629

    Re: Is this error message an sql injection hole?

    no. that is something Apache is telling you because you have custom error documents set up (or something), but it can't find the custom error document. whatever page you're going to can't be found. if you're curious if you may be vulnerable to SQL injection in general, however, we can't really tell you anything unless you post your code.

    also, if you're only using mysql_query() then the statement in question would be harmless anyway. mysql_query() won't let you execute multiple statements at once, and all you're technically doing there is ending the current statement where ever it happens to be and starting a new statement. it would result in a final query that may look something like this:
    Code:
    SELECT * FROM users WHERE username='';drop table' and password=MD5('password');
    mysql_real_escape_string() has nothing to escape in this case. but mysql_query() can only execute the SELECT, and because the rest of the statement (the password part) is not ignored, this results in a syntax error as well. SQL injection happens when you're trying to manipulate the query. in the same case, if I entered ' OR 1=1; -- in your username field, we would get a final query like this (without mysql_real_escape_string()):
    Code:
    SELECT * FROM users WHERE username='' OR 1=1; --' and password=MD5('password');
    the grey code in this example is actually commented out (-- is a comment in SQL), which would prevent any possibly syntax errors. this would result in us automatically being logged in as the first username found in the database, because our expression is looking for a username that is equal to an empty string or 1=1. 1=1 is a true statement, and so this query will always return a record. this is one example of SQL injection. mysql_real_escape_string(), in this case, would escape the single quote to safe guard against an attack like this, and we would instead have a safe query like this:
    Code:
    SELECT * FROM users WHERE username='\' OR 1=1; --' and password=MD5('password');
    take a look here if you'd like to see my explanation of SQL injection in greater length.
    Last edited by kows; May 13th, 2010 at 05:25 AM.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Click Here to Expand Forum to Full Width