So from last two post we saw how that the users Input Parameters are processed by scripting Language Like PHP, ASP, etc and Then the Query is passed to Database.
Everything Works on the basis of INPUT and OUTPUT, Database gets an Input, and based on the Input it gives the Output. A Database will not logically verify that the Query is from a Genuine User or Someone trying to get Information.
We are more interested in the second Phase, where scripts filters the request. If somehow we can change the order or Queries that are being passed from the PHP script, Back-end Database will throw out the information.
Ex: lets check this
http://www.example.com/products.php?id=10
Here id=10, this is known as a Parameter, based on the 'id' value, we will get some result from the back-end Database.
A normal PHP script would do the following:
<?php
//connect to database
$con = $mysql_connect("localhost", "username", "password");
//Build the SQL Query
$qry = "SELECT Products.Name, Products.Price FROM Products WHERE Products.id = '$_GET['id_val']";
//Query to the Database
$result = mysql_query($qry);
//output to the User
while ($row = mysql_fetch_array($result))
{
echo "NAME: ".$row{'Products.Name'}." PRICE: ".$row{'Products.Price'}."<br />";
}
//close the Database Connection
mysql_close($con);
?>
If you look at this carefully, the SQL query that the script would execute is:
SELECT Products.Name, Products.Price
FROM Products
WHERE Products.id = 10
Now, what if we modify the URL
http://www.example.com/products.php?id=10
to
http://www.example.com/products.php?id=10' OR '1'='1'
The SQL Query would now be:
SELECT Products.Name, Products.Price
FROM Products
WHERE Products.id = 10' OR '1'='1'
Here the simple Logic is 1 is always equal to 1, we have changed the Logic of the PHP Script.
In Laymans Terms, We are asking to show the Name and Price of id which is '10' or 'True'(All Values)
Hence This Query will result in Displaying all the Names and Price of all the Products.id from the Products Table.
Hope this was informative, and makes sense to who dint knew the purpose of appending 'or '1'='1'
Thats all for this post.
Thank You!
Everything Works on the basis of INPUT and OUTPUT, Database gets an Input, and based on the Input it gives the Output. A Database will not logically verify that the Query is from a Genuine User or Someone trying to get Information.
We are more interested in the second Phase, where scripts filters the request. If somehow we can change the order or Queries that are being passed from the PHP script, Back-end Database will throw out the information.
Ex: lets check this
http://www.example.com/products.php?id=10
Here id=10, this is known as a Parameter, based on the 'id' value, we will get some result from the back-end Database.
A normal PHP script would do the following:
<?php
//connect to database
$con = $mysql_connect("localhost", "username", "password");
//Build the SQL Query
$qry = "SELECT Products.Name, Products.Price FROM Products WHERE Products.id = '$_GET['id_val']";
//Query to the Database
$result = mysql_query($qry);
//output to the User
while ($row = mysql_fetch_array($result))
{
echo "NAME: ".$row{'Products.Name'}." PRICE: ".$row{'Products.Price'}."<br />";
}
//close the Database Connection
mysql_close($con);
?>
If you look at this carefully, the SQL query that the script would execute is:
SELECT Products.Name, Products.Price
FROM Products
WHERE Products.id = 10
Now, what if we modify the URL
http://www.example.com/products.php?id=10
to
http://www.example.com/products.php?id=10' OR '1'='1'
The SQL Query would now be:
SELECT Products.Name, Products.Price
FROM Products
WHERE Products.id = 10' OR '1'='1'
Here the simple Logic is 1 is always equal to 1, we have changed the Logic of the PHP Script.
In Laymans Terms, We are asking to show the Name and Price of id which is '10' or 'True'(All Values)
Hence This Query will result in Displaying all the Names and Price of all the Products.id from the Products Table.
Hope this was informative, and makes sense to who dint knew the purpose of appending 'or '1'='1'
Thats all for this post.
Thank You!
0 comments:
Post a Comment