Hands on: SQL injections

I’m quite a fan of using PHP and MySQL to create sites, and I also like the ease with which tools such as Adobe Dreamweaver can help you create pages that request information from a database.

You can build a page that lists all the parts in your database, for example, and then add a dropdown menu that filters by category, just calling the same page again with a parameter.

But this is where problems can creep in. You might have a page, which started out as something like partslist.php. You’ve decided to add a dropdown menu and refine the query in Dreamweaver, which makes it easy to check a query string and select data based on that.

So you end up with a script with a URL that looks like partslist.php?catid=brakes.
You check the PHP code and see something that looks like this:
$colname_parts = “1”;if (isset($_GET[‘catid’])) {
$colname_parts = (get_magic_quotes_gpc()) ? $_GET[‘catid’] : addslashes($_GET[‘catid’]);
}

The addslashes function stops people putting any funny business in there, doesn’t it? Well, no. It puts slashes before quotes, but that’s it. Doesn’t PHP’s MySQL function allow only one command at a time, helping prevent problems? Sort of.

There are many ways to get useful information from a script without needing to add an extra query. The UNION command in SQL is a favourite.

Dreamweaver will typically assume that the $colname_parts variable is OK and build a query incorporating it, which will look something like this:

SELECT partno, name, description, category, price FROM parts WHERE category = %s
replacing the %s with the variable. Then someone comes to your site and feeds it a query string that looks like so:
catid=-9999+union+all+select+1,concat(username,char(58),email),3,null,5,6,null+from+users