Revisions to How can I prevent SQL injection in PHP?

improved formatting, changed blockquotes to code blocks

Source Link

edit approved Jun 12, 2020 at 3:31

44
6

##My approach:

My approach:

SELECT password FROM users WHERE name = 'root''root';

SELECT password FROM users WHERE name = 0x726f6f740x726f6f74;

SELECT password FROM users WHERE name = UNHEX('726f6f74');

The ** 0x**0x prefix can only be used for data columns such as char, varchar, text, block, binary, etcchar, varchar, text, block, binary, etc.
Also, its use is a little complicated if you are about to insert an empty string. You'll have to entirely replace it with '', or you'll get an error.

UNHEX()UNHEX() works on any column; you do not have to worry about the empty string.

SELECT ... WHERE id = -1 union all select table_name from information_schema.tables

SELECT ... WHERE id = -1 UNION ALL SELECT table_name FROM information_schema.tables;

SELECT ... WHERE id = -1 union all select column_name from information_schema.column where table_name = 0x61727469636c65

SELECT ... WHERE id = -1 UNION ALL SELECT column_name FROM information_schema.column WHERE table_name = __0x61727469636c65__;

But if the coder of an injectable site would hex it, no injection would be possible because the query would look like this: SELECT ... WHERE id = UNHEX('2d312075...3635')

SELECT ... WHERE id = UNHEX('2d312075...3635');

##My approach:

SELECT password FROM users WHERE name = 'root'

SELECT password FROM users WHERE name = 0x726f6f74

SELECT password FROM users WHERE name = UNHEX('726f6f74')

The ** 0x** prefix can only be used for data columns such as char, varchar, text, block, binary, etc.
Also, its use is a little complicated if you are about to insert an empty string. You'll have to entirely replace it with '', or you'll get an error.

UNHEX() works on any column; you do not have to worry about the empty string.

SELECT ... WHERE id = -1 union all select table_name from information_schema.tables

SELECT ... WHERE id = -1 union all select column_name from information_schema.column where table_name = 0x61727469636c65

But if the coder of an injectable site would hex it, no injection would be possible because the query would look like this: SELECT ... WHERE id = UNHEX('2d312075...3635')

My approach:

SELECT password FROM users WHERE name = 'root';

SELECT password FROM users WHERE name = 0x726f6f74;

SELECT password FROM users WHERE name = UNHEX('726f6f74');

The 0x prefix can only be used for data columns such as char, varchar, text, block, binary, etc.
Also, its use is a little complicated if you are about to insert an empty string. You'll have to entirely replace it with '', or you'll get an error.

UNHEX() works on any column; you do not have to worry about the empty string.

SELECT ... WHERE id = -1 UNION ALL SELECT table_name FROM information_schema.tables;

SELECT ... WHERE id = -1 UNION ALL SELECT column_name FROM information_schema.column WHERE table_name = __0x61727469636c65__;

But if the coder of an injectable site would hex it, no injection would be possible because the query would look like this:

SELECT ... WHERE id = UNHEX('2d312075...3635');

Grammar improvement(s)

Source Link

edited Dec 25, 2017 at 14:40

Nae

15.1k
7
58
82

0x The ** 0x** prefix can only be used onfor data columns such as char, varchar, text, block, binary, etc.
Also, its use is a little complicated if you are about to insert an empty string. You'll have to entirely replace it with '', or you'll get an error.

0x prefix can only be used on data columns such as char, varchar, text, block, binary, etc.
Also, its use is a little complicated if you are about to insert an empty string. You'll have to entirely replace it with '', or you'll get an error.

The ** 0x** prefix can only be used for data columns such as char, varchar, text, block, binary, etc.
Also, its use is a little complicated if you are about to insert an empty string. You'll have to entirely replace it with '', or you'll get an error.