Collaborate Disseminate
For academical purposes I need to explode a blind sql injection on a form paramater which is sent using the POST method. The form is very simple, it just has an input text box where to introduce the name of a user and a submit button, the … Continue reading sqlmap HTTP 405 error on a vulnerable POST parameter
Here’s the vulnerable code:
<?php
$filtered = “/information|schema|_/i”;
#… blahblah
$query = “SELECT * FROM user WHERE id=’$id’ AND pw=’$pw’;”; // exist hidden column
$query = @mysql_fetch_array(mysql_query($query… Continue reading SQLi : Extract MySQL data without knowing column names?
I’m trying to learn about “Double Query Injections”, but in the tutorials they write following the command but without any explanation:
(select * from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables wh… Continue reading Double Query injection
I’m developing a user-facing, public-accessible website where the user can input an arbitrary, hostile search term. After that, the app must do something conceptually like this against a MySQL db
SELECT fields FROM table WHERE field1 LIKE %user_input%
I must make this happen in a sql-injection safe way. So my first thought is using PDO as I’m doing everywhere else:
SELECT fields FROM table WHERE field1 LIKE :user_input_placeholder
$arrParam = array(“:user_input_placeholder” => ‘%’ . $user_input .
‘%’)
But this string concatenation doesn’t feel safe at all to me: if the user provides ‘user_%_input’ that percent won’t be escaped and will be parsed as a SQL special char. This smells dangerous already.
Someone over at SO seems to agree and proposes to do this:
SELECT fields FROM table WHERE field1 LIKE CONCAT(‘%’, :user_input_placeholder, ‘%’)
$arrParam = array(“:user_input_placeholder” => $user_input)
This looks better to me, but, still, I’m not 100% sure that this would be sql-injection free. Could you please confirm that this is the correct way to do it? If not, please provide a failing example.
Note: I must remain portable and use PDO function, so mysql_escape_string() is not a solution. I also would prefer not to manually strip-out SQL specials like % or _.
Continue reading Is MySQL CONCAT with PDO enough to protect LIKEs from SQL injection?
I practice about error based sql injection but there isn’t any good reference for it ..
for example 🙂 :
mysql> select count(*),floor(rand()*2) as a from users group by a;
ERROR 1062 (23000): Duplicate entry ‘0’ for key… Continue reading can anybody explain error based sql injection attacks
I want to write login scripts for clients websites to make them more secure. I want to know what best practices I can implement into this. There are password protected control panels in abundance, but very few seem to implement best practi… Continue reading Session management and login PHP scripts
I’m playing around with sqlmap, and I’m having a little trouble dumping database columns.
I can dump all of them at once which is great, but this database has thousands of users and dumping every column would take over a day, whereas dumpi… Continue reading sqlmap – Dump multiple columns at once? [closed]
Before launch of a project, I reset the server’s mysql root password. The colo that is hosting project wants the server’s root database password stored in the .my.cnf file, in plain text, with the permissions set to 400. I ju… Continue reading MySql root password stored in .my.cnf
Is it possible to update a field in a MySQL database or insert a new row using SQL injection in this case:
The only protection in the PHP code is mysql_real_escape_string().
The query is constructed in double quotes: “select id from db … Continue reading SQL Injection Modify / Insert Table Values
I want to know the table name and column names of that table in website login page. How should I do that.
There are only two input fields, Username and Password.
And it is vulnerable to Sql injection, because when I inject … Continue reading How to know table name, and column names for login panel