Tuesday, March 1, 2011

SQL Injection



First, artikel ni di copy/paste seratus peratus dari Fanfareforum. Artikel ini dwibahasa, sila scroll ke bawah untuk Bahasa Malaysia.

*Sekadar info sahaja. :P

English:

What is SQL Injection

SQL injection refers to the act of someone inserting a MySQL statement to be run on your database without your knowledge. Injection usually occurs when you ask a user for input, like their name, and instead of a name they give you a MySQL statement that you will unknowingly run on your database.
SQL Injection Example

Below is a sample string that has been gathered from a normal user and a bad user trying to use SQL Injection. We asked the users for their login, which will be used to run a SELECT statement to get their information.
MySQL & PHP Code:
Code:
// a good user's name
$name = "timmy";
$query = "SELECT * FROM customers WHERE username = '$name'";
echo "Normal: " . $query . "
";

// user input that uses SQL Injection
$name_bad = "' OR 1'";

// our MySQL query builder, however, not a very safe one
$query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";

// display what the new query will look like, with injection
echo "Injection: " . $query_bad;
Display:
Code:
Normal: SELECT * FROM customers WHERE username = 'timmy'
Injection: SELECT * FROM customers WHERE username = '' OR 1''

The normal query is no problem, as our MySQL statement will just select everything from customers that has a username equal to timmy.

However, the injection attack has actually made our query behave differently than we intended. By using a single quote (') they have ended the string part of our MySQL query
username = ' '

and then added on to our WHERE statement with an OR clause of 1 (always true).
username = ' ' OR 1

This OR clause of 1 will always be true and so every single entry in the "customers" table would be selected by this statement!
More Serious SQL Injection Attacks

Although the above example displayed a situation where an attacker could possibly get access to a lot of information they shouldn't have, the attacks can be a lot worse. For example an attacker could empty out a table by executing a DELETE statement.
MySQL & PHP Code:
Code:
$name_evil = "'; DELETE FROM customers WHERE 1 or username = '";

// our MySQL query builder really should check for injection
$query_evil = "SELECT * FROM customers WHERE username = '$name_evil'";

// the new evil injection query would include a DELETE statement
echo "Injection: " . $query_evil;
Display:
Code:
SELECT * FROM customers WHERE username = ' '; DELETE FROM customers WHERE 1 or username = ' '

If you were run this query, then the injected DELETE statement would completely empty your "customers" table. Now that you know this is a problem, how can you prevent it?
Injection Prevention - mysql_real_escape_string()

Lucky for you, this problem has been known for a while and PHP has a specially-made function to prevent these attacks. All you need to do is use the mouthful of a function mysql_real_escape_string.

What mysql_real_escape_string does is take a string that is going to be used in a MySQL query and return the same string with all SQL Injection attempts safely escaped. Basically, it will replace those troublesome quotes(') a user might enter with a MySQL-safe substitute, an escaped quote \'.

Lets try out this function on our two previous injection attacks and see how it works.
MySQL & PHP Code:
Code:
//NOTE: you must be connected to the database to use this function!
// connect to MySQL

$name_bad = "' OR 1'";

$name_bad = mysql_real_escape_string($name_bad);

$query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";
echo "Escaped Bad Injection:
" . $query_bad . "
";


$name_evil = "'; DELETE FROM customers WHERE 1 or username = '";

$name_evil = mysql_real_escape_string($name_evil);

$query_evil = "SELECT * FROM customers WHERE username = '$name_evil'";
echo "Escaped Evil Injection:
" . $query_evil;
Display:
Code:
Escaped Bad Injection:
SELECT * FROM customers WHERE username = '\' OR 1\''
Escaped Evil Injection:
SELECT * FROM customers WHERE username = '\'; DELETE FROM customers WHERE 1 or username = \''

Notice that those evil quotes have been escaped with a backslash \, preventing the injection attack. Now all these queries will do is try to find a username that is just completely ridiculous:
Bad: \' OR 1\'
Evil: \'; DELETE FROM customers WHERE 1 or username = \'

And I don't think we have to worry about those silly usernames getting access to our MySQL database. So please do use the handy mysql_real_escape_string() function to help prevent SQL Injection attacks on your websites. You have no excuse not to use it after reading this lesson!

.........................................................................................................................................................................................................................
.........................................................................................................................................................................................................................


Bahasa Malaysia: 


[Apa itu SQL Injection]
SQL injection merujuk pada tindakan seseorang memasukkan kenyataan MySQL untuk dijalankan pada database anda tanpa pengetahuan anda. Suntikan biasanya berlaku apabila anda meminta pengguna untuk masukkan, seperti nama mereka, dan bukannya nama mereka memberikan kenyataan MySQL bahawa anda tidak sedar akan berjalan pada database anda.
SQL Injection Contoh

Di bawah ini adalah contoh string yang telah dikumpulkan dari user biasa dan user buruk cuba untuk menggunakan SQL Injection. Kami meminta pengguna untuk login mereka, yang akan digunakan untuk menjalankan statemen SELECT untuk mendapatkan maklumat mereka.
MySQL & PHP Code:
Kod:
/ / Nama pengguna yang baik
$ Name = "Timmy";
$ Query = "SELECT * FROM nasabah WHERE username '$ name' =";
echo "Normal:". $ Query. "
";

/ / User input yang menggunakan SQL Injection
$ Name_bad = "'OR 1'";

/ / Kami MySQL bina query, bagaimanapun, tidak yang sangat aman satu
$ Query_bad = "SELECT * FROM pelanggan WHERE username 'name_bad $' =";

/ / Hotel apa query yang baru akan kelihatan seperti, dengan suntikan
echo "Suntikan:". $ Query_bad;
Display:
Kod:
Muzik: SELECT * FROM nasabah WHERE username 'Timmy' =
Suntikan: SELECT * FROM nasabah WHERE username =''OR 1''

Permintaan normal tidak ada masalah, sebagai pernyataan MySQL kita hanya akan memilih semuanya dari pelanggan-pelanggan yang mengandungi username sama dengan Timmy.

Namun, serangan injeksi telah benar-benar membuat query kita berperilaku berbeza dari kita dimaksudkan. Dengan menggunakan tanda kutip tunggal (') mereka telah berakhir pada bahagian string dari query MySQL kita
username =''

dan kemudian ditambah pada WHERE kenyataan kita dengan ayat OR 1 (selalu benar).
username =''OR 1

Ayat ini OR 1 akan selalu benar dan setiap entri dalam jadual "pelanggan" akan dipilih oleh kenyataan ini!
Lebih Serius Serangan SQL Injection

Walaupun contoh di atas ditunjukkan situasi di mana seorang penyerang mungkin boleh mendapatkan akses kepada banyak maklumat yang mereka tidak seharusnya, serangan bisa menjadi jauh lebih buruk. Misalnya seorang penyerang dapat mengosongkan meja dengan menjalankan kenyataan DELETE.
MySQL & PHP Code:
Kod:
$ Name_evil = "'; DELETE FROM pelanggan WHERE 1 atau username ='";

/ / Kami bina query MySQL benar-benar harus memeriksa untuk suntikan
$ Query_evil = "SELECT * FROM nasabah WHERE username 'name_evil $' =";

/ / Query yang suntikan baru jahat akan merangkumi kenyataan DELETE
echo "Suntikan:". $ Query_evil;
Display:
Kod:
SELECT * FROM nasabah WHERE username =''; DELETE FROM pelanggan WHERE 1 atau username =''

Jika anda menjalankan permintaan ini, maka DELETE disuntik anda benar-benar akan kosong "pelanggan" jadual. Sekarang anda tahu ini adalah masalah, bagaimana anda mencegahnya?
Suntikan Pencegahan - mysql_real_escape_string ()

Beruntung bagi anda, masalah ini telah dikenali untuk sementara dan PHP memiliki fungsi khusus-dibuat untuk mencegah serangan-serangan ini. Yang perlu anda lakukan adalah menggunakan seteguk daripada fungsi mysql_real_escape_string.

Apa mysql_real_escape_string lakukan adalah mengambil string yang akan digunakan dalam query MySQL dan mengembalikan string yang sama dengan semua usaha SQL Injection selamat lolos. Pada dasarnya, ini akan menggantikan mereka mengutip merepotkan (') pengguna boleh masuk dengan pengganti MySQL-selamat, sebuah kutipan melarikan diri \'.

Mari kita cuba fungsi ini dalam dua kita serangan injeksi sebelumnya dan melihat cara kerjanya.
MySQL & PHP Code:
Kod:
/ / NOTA: Anda harus disambungkan ke database untuk menggunakan fungsi ini!
/ / Terhubung ke MySQL

$ Name_bad = "'OR 1'";

$ Name_bad = mysql_real_escape_string ($ name_bad);

$ Query_bad = "SELECT * FROM pelanggan WHERE username 'name_bad $' =";
echo "Lolos Suntikan Bad:
"$ Query_bad .."
";


$ Name_evil = "'; DELETE FROM pelanggan WHERE 1 atau username ='";

$ Name_evil = mysql_real_escape_string ($ name_evil);

$ Query_evil = "SELECT * FROM nasabah WHERE username 'name_evil $' =";
echo "Lolos Evil Suntikan:
"$ Query_evil.;
Display:
Kod:
Escaped Buruk Suntikan:
SELECT * FROM nasabah WHERE username = '\' OR 1 \''
Escaped Evil Suntikan:
SELECT * FROM nasabah WHERE username = '\'; DELETE FROM pelanggan WHERE 1 atau username = \''

Perhatikan bahawa mereka mengutip jahat telah melarikan diri dengan backslash \, mencegah serangan injeksi. Sekarang semua soalan akan lakukan adalah cuba untuk mencari nama pengguna yang hanya benar-benar konyol:
Bad: \ 'OR 1 \'
Evil: \ '; DELETE FROM pelanggan WHERE 1 atau username = \'

Dan aku tidak berfikir kita perlu bimbang tentang orang-orang konyol nama pengguna mendapat akses ke database MySQL kita. Jadi sila gunakan mysql_real_escape_string praktikal () berfungsi untuk membantu mencegah serangan SQL Injection pada halaman anda. Anda tidak mempunyai alasan untuk tidak menggunakannya setelah membaca pelajaran ini! ))


Credit: [ fxSuzuki ] [ FanFareForum ]

1 comment:

  1. kalau aku jumpa lagi web app yg boleh kena injek senang-senang je macam ni, memang gelak besar la...

    hahaahaha...

    :D

    ReplyDelete

Belasah Keyboard Anda Kat Sini: