-1

Possible Duplicate:
MySQL Injection - Use SELECT query to UPDATE/DELETE

So I have found in my site bug that allows to perform sql injection http://mysite.com/script.php?id=1 union select 1,2,3 will output all fields that has Id property equal to one plus one additional row with 1,2,3. I know that I have to validate user input to close my bug.

However my question is quite another. Is it possible to perform update query or insert query? I am able to comment query using --, however I cannot use multiple statements that are delimited by ;. So is it possible to perform update query in my case. I can show PHP code and SQL query if needed.

$sql    = "SELECT id, title, text from table where cId=$val";
$result = mysql_query($sql);
$array  = mysql_fetch_array($result);
//echo rows in table
Community
  • 1
  • 1
seeker
  • 3,255
  • 7
  • 36
  • 68
  • Yes please - please always show code where it is available. – halfer Jan 01 '13 at 18:45
  • It might be possible if there are predefined functions available in your database that take arbitrary SQL as input. I don't know if any such thing exists, or what database might have that in a standard library, but it is possible. It might be called via `SELECT my_func('DELETE FROM ...');` – halfer Jan 01 '13 at 18:49
  • Use PDO/mysqli with parametrised queries. That way you don't have to worry about code injection. – Asad Saeeduddin Jan 01 '13 at 18:49
  • (I rolled back your edit (and then re-applied your code change) as you accidentally reverted minor edits I made to your question. Please refresh your page before making edits, for this reason). – halfer Jan 01 '13 at 18:52
  • @Halfer Sure, thank you. As I understood update query here is almost impossible? Yes? – seeker Jan 01 '13 at 18:52
  • @Seeker: Why should anybody tell you? If we say, it's not possible, do you feel save then? If we say, it's possible, what then? – hakre Jan 01 '13 at 18:54
  • From the manual: _mysql_query() sends a unique query (multiple queries are not supported)_ so that's a good start. Notwithstanding, you should definitely fix this issue - I wouldn't leave it as it is just because you feel 'safe enough'. – halfer Jan 01 '13 at 18:55
  • @hakre if that's not possible then nothing critical if user can read my table. However if not, user can perform something like `DROP database wow`. – seeker Jan 01 '13 at 18:55
  • 1
    _nothing critical if user can read my table_ - but that will permit users to look up each other's data, assuming you have such a thing on your site. – halfer Jan 01 '13 at 18:56
  • @Seeker: Well, the actual problem you face is located elsewhere. You think it's not critical while in reality you've just found an existing problem. Fix it! Anything else is just making you weak to care about important things. – hakre Jan 01 '13 at 18:57
  • There are other interesting things that can be done besides insert/update - Denial of Service using `SELECT BENCHMARK(99999999, some_query)`, seeing your data structure using `SELECT FROM information_schema`, dumping data to files and consuming all the space using `SELECT .. INTO OUTFILE`... – DCoder Jan 01 '13 at 19:20

3 Answers3

3

Judging from MySQL Injection - Use SELECT query to UPDATE/DELETE all that is protecting you is a limitation of mysql_query. I would not rely on this, and in particular not that it remains this way over time. You should never rely on a feature to be disabled by default. Maybe the next version already allows statements such as.

SELECT id, title, text from table where cId=1; DROP table table
Community
  • 1
  • 1
Has QUIT--Anony-Mousse
  • 76,138
  • 12
  • 138
  • 194
0

Nope it is not possible. Most probably you ar running mysql_query, that would not allow multiple queries to be run in one pass. And hence if your query starts with SELECT (as it does), it would not allow any UPDATE injection

Edit: Use mysql_real_escape_string on your input even then

Hanky Panky
  • 46,730
  • 8
  • 72
  • 95
0

By default this should not be possible. Although there are options for mysql_query to run multiple statements in one string since MySQL 5.0 which you have to set with mysql_set_server_option.

Please consider changing your statement command like this to use mysql_real_escape_string:

$q = mysql_fetch_array(mysql_query("SELECT id, title, text from table where cId = " . mysql_real_escape_string($val)));

At the very best you change your code to use PDO since all mysql_* functions are officially deprecated.

Benjamin Paap
  • 2,744
  • 2
  • 21
  • 33