• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

SQL injection, login question

 
Mohammad Ashari Rahman
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi. I do not know if it is the correct forum to ask but I ask anyway

//connect to database

then pass this query in php block:

SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1 and Pssword="something"

but how can I first connect to database without entering the Userid and password? How can I access Users table in the first place? Is it that every time someone accesses database which needs userid/pass the users table is invoked after DB connection?

thanks
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 35269
383
Eclipse IDE Java VI Editor
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
First, you shouldn't be connecting to the database as the user. You should have a general user id for logins that does queries on behalf of your user. So these passwords are for your application, not for the database. Your application remembers the user is logged in and doesn't prompt on each request.

And yes, your example is subject to SQL Injection. See this article on how to avoid it. Finally, don't return the password in the select clause; just the name. You already have the user id/password. There is no need to return them.

 
Mohammad Ashari Rahman
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jeanne Boyarsky wrote:First, you shouldn't be connecting to the database as the user. You should have a general user id for logins that does queries on behalf of your user. So these passwords are for your application, not for the database. Your application remembers the user is logged in and doesn't prompt on each request.

And yes, your example is subject to SQL Injection. See this article on how to avoid it. Finally, don't return the password in the select clause; just the name. You already have the user id/password. There is no need to return them.





What is the Password and PWD? Which one is for application and what is the UserTbl stored in DB for users and password?

I guess PWD is for the application?

Secondly, assume SQL injection is successful then which password it bypasses? Application level password to access DB?
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 35269
383
Eclipse IDE Java VI Editor
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
PWD is the database password in that example. It isn't possible to do SQL Injection with a database password.

SQL Injection isn't just about bypassing the password. It lets the bad guy see or change data that he/she shouldn't be able to.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic