Injection
SQL Injection
Page 321, the code shown in the gray box, in the
middle of the page, is not the same as the download code.
The download code just has "1 = 1" for the query. This does
illustrate the point of exploiting the vulnerability and
getting back all the email addresses, but it does not
illustrate the case of using $_POST['user_id'].
PHP Code:
$query = 'SELECT USERNAME, EMAIL_ADDR FROM WROX_USER WHERE 1 = 1';
Now the code in the book uses $_POST['user_id'] that is passed in,
but it needs a form to actually use it.
To do this I basically took exploit_01.php and
put this code into the if block section
In the form, I changed name to user_id, but the
rest of it is the same as in exploit_01.php
Here is the complete vulnerable code I used which
illustrates the SQL injection vulnerability.
PHP Code:
<?php
include "../lib/common.php";
include "../lib/db.php";
if (isset($_POST['submitted']))
{
$query = 'SELECT USERNAME, EMAIL_ADDR FROM USER WHERE USER_ID = ' . $_POST['user
_id'];
$result = mysql_query($query, $GLOBALS['DB']);
echo '<p>Welcome!<br/>Here is the information we have on file for you:</p>';
echo '<table>';
while ($row = mysql_fetch_assoc($result))
{
echo '<tr><td>Name:</td>';
echo '<td>' . htmlspecialchars($row['USERNAME']) . '</td></tr>';
echo '<tr><td>Email:</td>';
echo '<td>' . htmlspecialchars($row['EMAIL_ADDR']) . '</td></tr>';
}
echo '</table>';
echo '<p>Is this correct?</p>';
mysql_free_result($result);
mysql_close($GLOBALS['DB']);
}
else
{
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<div>
Enter your user id: <input type="text" name="user_id"/>
<input type="submit" value="Submit"/>
<input type="hidden" name="submitted" value="true"/>
</div>
</form>
<?php
Here is a copy of the authors corrected code; I added
a structure around it so it can use the form.
(I don't use the prefix WROX on USER)
PHP Code:
<?php
include "../lib/common.php";
include "../lib/db.php";
if (isset($_POST['submitted']))
{
$query = sprintf('SELECT USERNAME, EMAIL_ADDR FROM USER WHERE ' .
'USER_ID = %d', $_POST['user_id']);
$result = mysql_query($query, $GLOBALS['DB']);
$row = mysql_fetch_assoc($result);
mysql_free_result($result);
echo '<p>Welcome!<br/>Here is the information we have on file for you:</p>';
echo '<table>';
echo '<tr><td>Name:</td>';
echo '<td>' . htmlspecialchars($row['USERNAME']) . '</td></tr>';
echo '<tr><td>Email:</td>';
echo '<td>' . htmlspecialchars($row['EMAIL_ADDR']) . '</td></tr>';
echo '</table>';
echo '<p>Is this correct?</p>';
mysql_close($GLOBALS['DB']);
}
else
{
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<div>
Enter your user id: <input type="text" name="user_id"/>
<input type="submit" value="Submit"/>
<input type="hidden" name="submitted" value="true"/>
</div>
</form>
<?php
}
?>
</html>
The authors got the point across very well. I just posted this code
here for anyone who wants to see it work using an actual form.
NEXT ISSUE
On page 323, about 12 lines down, there is a gray box
illustrating a line of code. There is a typo here,
there needs to be a single quote before USER on the
second line. They do have this correct in the completed
code at the bottom of the page. Anyway, here is how it
should look
PHP Code:
$query = sprintf('SELECT USERNAME, EMAIL_ADDR FROM USER WHERE ' .
'USER_ID = %d', $_POST['user_id']);
Chap 12 - Security, SQL Injection vulnerability illustration
