We have created a proper login in Part 1. Proper login in the sense it was syntactically OK but not an efficient one.
Let’s how a hacker can get into a system.
He inserts the
username as nobody or 1=1
password = idontknow or 1=1
Now the $sql will get the following value
SELECT * FROM Users WHERE username =’nobody or 1=1′ AND password =’idontknow or 1=1’
Here the the or 1=1 part also within the quote and the OR is considered as a varchar literal not as a logical operator by mySQL. This gives a chance to us.
We introduced the quotes in the statement to make the $sql valid, we did not have the intention of preventing the SQL injection on that time. But it worked well here for the SQL Injection prevention also.
When the above statement is executed in mySQL. It will return an empty set. Because it searches for username ‘nobody or 1=1’ and password ‘idontknow or 1=1’. Which are not available in the Users table.
But the hacker is a smart guy, and he knows that you are using quotes and still wants to make an SQL Injection.
Now he types the following
username = nobody’ or 1=1
password = idontknow’ or 1=1
Then now the $sql gets the value of
SELECT * FROM Users WHERE username =’nobody’ or 1=1′ AND password =’idontknow’ or 1=1′
When this is executed in mySQL
An error comes because the quotes introduced by the hacker and the quotes introduced by the developer.
AGAIN HACKER TRIES
This time he comes with a powerful weapon – COMMENTS.
He tries the following
username = nobody’ or 1=1;#
password = gotcha…
Now the $sql gets the value of
SELECT * FROM Users WHERE username =’nobody’ or 1=1;#’ AND password =’gotcha’
When execute the above in mySQL
The hacker succeeds.
Here after the ; mark he can add any statement like insert, update, drop and finally put the #. This ignores all the rest of the part.
Really this is simple and most websites are prone to this attack.
How to Prevent is on Part 3