How Basic SQL injection can be prevented: A must for website Administrators

Discussion in 'Scripts & Commands' started by Musadiq, 18 Feb 2013.

  1. Musadiq

    Musadiq Active Member

    Joined:
    26 Jan 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    41
    The basic attack is login form bypassing which has already been discussed in the previous post. In this type of SQLi we inject queries like 1‘OR’1‘=’1 etc. in the username and password fields.
    The code which is used in these types of websites that can be easily
    bypassed through the above said queries Apart from this the user can also delete the database by executing "' drop table database; --".

    Below is the code, which permits the said queries:

    HTML:
    Select All
    index.html file: <form action="login.php" method="POST" /> <p>Password: <input type="text" name="pass" /><br /> <input type="submit" value="Authenticate" /></p> </form> login.php file: <?php // EXAMPLE CODE $execute = "SELECT * from database WHERE password = '{$_POST['pass'])"; $result = mysql_query($execute); ?>

    If you are having this type of code then You will have to use mysql_real_escape_string in the php code

    Here is the php code.


    Code:
    Select All
    <?php $badword = "' OR 1 '"; $badword = mysql_real_escape_string($badword); $message = "SELECT * from database WHERE password = "'$badword'"; echo "Blocked " . $message . "; ?>


    Be Happy Always :joyful: :joyful: :joyful: :joyful: :joyful: :joyful: :joyful: :joyful: :joyful: :joyful: :joyful: :joyful: :joyful: :joyful: :joyful: :joyful: :joyful:
     
Loading...
  • About Us

    We are a community mixed with professionals and beginners with an interest in wireless security, auditing and pentesting. Feel free to check out and upload resources.


    You can also find us on: Twitter and Facebook

  • Donate to Us

    Did you find our forums useful? Feel free to donate Bitcoin to us using the form below. Those who donate the equivlent of $10 USD or more will be upgraded to VIP membership. Don't have Bitcoin? Use your credit card to GO VIP here. Don't want to fork out some coin? There are other ways to GO VIP. Bitcoin: 1LMTGSoTyJWXuy2mQkHfgMzD7ez74x1Z8K