From aae77a789027518614b09320386a1ccbfaf040e3 Mon Sep 17 00:00:00 2001 From: Bearz314 Date: Thu, 22 Nov 2018 08:31:47 +1100 Subject: [PATCH] Added explanation on the `--` (#22343) Added explanations on using `--` in SQL to comment out unwanted trailing characters. Payload should not have a `'` as numbers should not be wrapped by quotes (source: https://www.w3schools.com/sql/sql_where.asp ) The previous payload would have an extra closing quote in the SQL query. --- guide/english/php/security/sql-injection/index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/guide/english/php/security/sql-injection/index.md b/guide/english/php/security/sql-injection/index.md index 6bb8956310..c61a1dae2c 100644 --- a/guide/english/php/security/sql-injection/index.md +++ b/guide/english/php/security/sql-injection/index.md @@ -39,7 +39,9 @@ $conn->close(); SELECT email FROM users WHERE id = `$input`; ``` -So with the above the input is not type casted (I.e. casting the input with (int) so only a number is allowed) nor escaped allowing someone to perform an SQL Injection attack - for example the URL `getemailbyuserid.php?id=1'; My Query Here-- -` would allow you to run arbitrary SQL queries with little effort. +So with the above the input is not type casted (I.e. casting the input with `(int)` so only a number is allowed) nor escaped allowing someone to perform an SQL Injection attack - for example the URL `getemailbyuserid.php?id=1; My Query Here--` would allow you to run arbitrary SQL queries with little effort. + +As the SQL code is a string which can be controlled by an attacker, the `id` variable in the example above effectively becomes `1; My Query Here--`. The `$sql` string thus becomes `SELECT email FROM users WHERE id =1; My Query Here--`. You can see that arbitrary queries can be appended to the original query. The double-dash `--` comments out any trailing characters which can cause an issue with the payload, like closing quotes if available. ### Defending your website from sql injection attacks in PHP There are a few approaches to defend your website from SQL Injection Attacks. These approaches are Whitelisting, Type Casting, and Character Escaping