https://www.owasp.org/index.php/SQL_Injectionhttp://security.stackexchange.com/questions/25684/how-can-i-explain-sql-injection-without-technical-jargonThink of it like this:
We have a variable called $q (bad name but nevermind) that will eventually be used to query the database.
This is the variable:
$q = "SELECT * FROM `users` WHERE `username` = '{$_GET['username']}' AND `password` = '{$_GET['password']}'";
Now, aside from GET variables being a bad place to store sensitive data (as they will appear in the browser history and shit), we aren't escaping the input properly.
What happens if $_GET['username'] == "Fur' --"?
That's right! The query will essentially look like this:
SELECT * FROM `users` WHERE `username` = 'Fur'
But what about that bit checking the password? Well, "--" is the comment operator (thing), so it'll completely disregard that.
So, we've essentially logged into Fur's account without a password.
Here's what the login script could look like:
// This was all written in the browser.
require 'database.php';
if (empty($_GET['username']) || empty($_GET['password'])) {
die('Argument missing');
}
$q = "
SELECT `is_banned`
FROM `users`
WHERE `username` = '{$_GET['username']}'
AND `password` = '{$_GET['password']}'
";
$queryResult = $database->query($q);
$userInfo = $queryResult->fetch_assoc();
if ($queryResult->num_rows == 0) {
die('Credentials incorrect.');
}
if ($userInfo['is_banned']) {
die('You have been banned.');
}
die('Credentials correct.');
There is a few improvements that can be made to this script (like hashing the password and using POST instead of GET), but those are just a waste of my time (for this little script anyway).
I do believe that the MySQL API disallows multiple queries to be executed in one statement (unless one uses the $db->multi_query in MySQLi), so we can't just enter "Fur'; DELETE * FROM `users` --" as the username, but this shouldn't be a problem once we've circumvented the authorisation system (which may have a big, juicy admin panel).
Stopping this from happening is easy: Prepare your queries or escape user input.
Anyway, you get the point.
I'm providing this information so you can learn, not so you can screw around with shittily-designed systems.
