How to Inject SQL Statements in PHP?

[DANIEL 602]

Hi friends,
I have used SQL queries with the other programming languages but not with the PHP. I want to use the SQL statements with the PHP programming language. I have done the basic programs in PHP and also tried to use SQL statements into it but was not succeeded. So please help me by telling how to Inject SQL Statements in PHP? Also provide any related coding which would be very helpful for me.!! Thanks in Advance.!!

[kyosang]

Many web developers are unaware of opportunities to manipulate SQL queries, and assume that the SQL commands are safe. This means that SQL queries are able to circumvent controls and audits, such as identification, and sometimes SQL queries have access to administrative commands. Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data or to override valuable ones or even to execute dangerous commands to the database. This is where application data is sent by the user and used directly to construct an SQL query.

[Solitario]

With the lack of verification of data and connecting to the server with root privileges, the attacker can create users and create another superuser. I have provided you with an example of splitting the result set into pages and making superusers, so just have a look at the sample of coding :

PHP Code:

<?php
 
$offset = $argv[0]; 
$query  = "SELECT id, name FROM sales ORDER BY name LIMIT 25 OFFSET $offset;";
$result = pg_query($conn, $query);
 
?>

[MELTRONICS]

Normal users click on the buttons 'next' and 'previous', which are then placed in the variable $ offset is encoded in the URL. The script expects that the incoming $ offset is a decimal number. However, it is possible to change the URL by adding a new value, the URL format, like this :

PHP Code:

0;
INSERT INTO pg_shadow(usename,usesysid,usesuper,usecatupd,passwd)
    SELECT 'crack', usesysid, 't','t','crack'
    FROM pg_shadow WHERE usename='postgres';
-- 


If this happens, the script will create a new superuser. Note that the value 0 is used to complete the original query and to complete successfully.

[Deabelos]

One way to gain passwords is to circumvent the search page. What the attacker needs to do is to see if a form variable is used in the application, and if it is mismanaged. These filters can be configured in a previous page to be used in WHERE clauses, ORDER BY, LIMIT and OFFSET SELECT queries. If your database supports the UNION construct, the attacker may try to append an entire query to list passwords from any table. Using the technique of encrypted passwords is strongly recommended. Also the code provided by the 'MELTRONICS', you can observe the symbol - in that. This is a common technique to force the SQL parser to ignore the rest of the request, using the symbols - to put in comments.

[Allan.d]

SQL UPDATE's are also prone to attacks of your database. These queries can also introduce a new application on your initial order. But the attacker might fiddle with the SET command. In this case, he must know something about your database. This can be guessed by examining the variable names in forms, or just simply brute forcing more traditional. There are not many naming conventions to store usernames and passwords. But a rogue user can send a value 'or uid like'% admin% '; - to $ uid to change the user password. The following is a query and its injection :

PHP Code:

<?php
 
$query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%'; --";
 
$query = "UPDATE usertable SET pwd='pass', admin='yes', trusted=100 WHERE
...;";
 
?>