SQL injection (1) -- determine whether there are SQL injection vulnerabilities

What is? SQL Inject

Whether learning back-end development / database / Network security ,SQL Injecting potential safety hazards has been mentioned repeatedly
What exactly is SQL？

The definition of Wikipedia ：

（1） What is? SQL？
SQL Is a language used to manipulate databases

（2） For example , Now we need to check the movie “ Changjin Lake ” Box office data ：


First imagine how developers write code to get data from a database ：

How to think as a hacker ？

SQL Injection range practice - DVWA（1）

【1】 First of all, will security Adjustable for low：

（ Remember to click “submit”）

【2】 Then challenge the module SQL Injection

First try normal

【3】 Try to check the source code ：

I pasted the source code below ：

SQL Injection Source
vulnerabilities/sqli/source/low.php
<?php

if( isset( $_REQUEST[ 'Submit' ] ) ) {
    
    // Get input
    $id = $_REQUEST[ 'id' ];

    switch ($_DVWA['SQLI_DB']) {
    
        case MYSQL:
            // Check database
            $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
            $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

            // Get results
            while( $row = mysqli_fetch_assoc( $result ) ) {
    
                // Get values
                $first = $row["first_name"];
                $last  = $row["last_name"];

                // Feedback for end user
                echo "<pre>ID: {
      $id}<br />First name: {
      $first}<br />Surname: {
      $last}</pre>";
            }

            mysqli_close($GLOBALS["___mysqli_ston"]);
            break;
        case SQLITE:
            global $sqlite_db_connection;

            #$sqlite_db_connection = new SQLite3($_DVWA['SQLITE_DB']);
            #$sqlite_db_connection->enableExceptions(true);

            $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
            #print $query;
            try {
    
                $results = $sqlite_db_connection->query($query);
            } catch (Exception $e) {
    
                echo 'Caught exception: ' . $e->getMessage();
                exit();
            }

            if ($results) {
    
                while ($row = $results->fetchArray()) {
    
                    // Get values
                    $first = $row["first_name"];
                    $last  = $row["last_name"];

                    // Feedback for end user
                    echo "<pre>ID: {
      $id}<br />First name: {
      $first}<br />Surname: {
      $last}</pre>";
                }
            } else {
    
                echo "Error in fetch ".$sqlite_db->lastErrorMsg();
            }
            break;
    } 
}

?>

It's a lot of stuff , But just pay attention SQL sentence select

  $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; 

Focus on ：
SELECT first_name, last_name FROM users WHERE user_id = ‘$id’;

$id That's what the user entered Content .

Judge whether there is SQL Inject holes ：

The data entered by the user is 1’ and 1=1 #
Now SQL The statement has changed , After the original query Will judge on the basis 1 = 1（ This is obviously true ）, If the judgment is correct, there will be output
# The function is to comment （ remove ） follow-up SQL sentence , Remove those that may cause impact later SQL sentence

The data entered by the user is 1’ and 1=2 #
Now SQL The statement will judge after the original query 1=2（ This is obviously wrong ）, If the judgment is correct, there will be output

There is no echo at this time , It shows that the judgment is wrong , At this time, it is certain that SQL Inject holes

summary ：
Two attempts 1=1 Normal output ,1=2 Error output , prove SQL The statement takes effect , There is SQL Inject holes