40 'OR' 1 '=' 1, is it prone to sql injection?

Question

40 'OR' 1 '=' 1, is it prone to sql injection?

I developed a simple application for studying SQL injection, where I search for speed <40 and display all names with speed less than 40, but when I look at the search as 40 'OR' 1 '=' 1 so it retrieves all records from the database table I I know how to solve this problem, but I don’t know 40 'OR' 1 '=' 1 how this operator works when I pass 40 'OR' 1 '=' 1 can someone briefly tell me what happens when am I passing 40 'OR' 1 '=' 1 in the search box ??

hoping for a quick and positive response ...

<?php
include("conn.php");

$get_rate = $_GET['rate'];

$query = "select * from `sqlinjection`.`products` WHERE `products`.`rate` < '".$get_rate."'";


$result=mysql_query($query);

if($result == false)
{
    die(mysql_error());

}

while($row=mysql_fetch_array($result))
{

echo "Name".$row['srno']."<br/>";
echo "Name".$row['name']."<br/>";
echo "Rate".$row['rate']."<br/>";
}

?>

+3

sql php mysql sql-injection

mr_eclair 23 . '10 10:39

5

, SQL-:

SELECT * FROM my_table WHERE rate<'40' OR '1'='1';

'1' '1', rate<'40' OR '1'='1' true, . : http://xkcd.com/327/?

+3

Nathan MacInnes 23 . '10 10:44

script, :

$get_rate = $_GET['rate'];
$query = "select * from sqlinjection.products WHERE products.rate < '".$get_rate."'";
echo $query;

, SQL:

select * from sqlinjection.products WHERE products.rate < '20' OR '1'='1'
                                                           ^^^^^^^^^^^^^

$get_rate '20', OR '1'='1' SQL. '1' = '1' , .

+2

Mark Byers 23 . '10 10:48

, , , :

SELECT somefield FROM sometable WHERE rate < '$yourRate'

(, 40 )

SELECT somefield FROM sometable WHERE rate < '40'

, SQL-, 40' OR '1'='1,

SELECT somefield FROM sometable WHERE rate < '40' OR '1'='1'

`` 1 '=' 1 ' ,

SELECT somefield FROM sometable

, ? , mysqli - , . , , . , , ; , escape- - PHP mysql_real_escape_string. PHP:

$get_count = $_GET['count']; // an example of integer
$get_rate = $_GET['rate'];   // an example of float
$comment = $_GET['comment']; // an example of string

$sanitized_count = (int) $get_count; // now we're *sure* it an int, and nothing else
$sanitized_rate = (float) $get_rate; // ditto
$sql_sanitized_comment = mysql_real_escape_string($comment); // you need to have the mySQL connection open to use this function (for charset purposes)

$query = "select * from sqlinjection.products 
            WHERE 
              products.rate < ".$sanitized_rate."
              OR products.comment = '" . $sql_sanitized_comment . "'
            LIMIT " . $sanitized_count;

, SQL-.

+1

Piskvor 23 . '10 10:44

,

SELECT * FROM blah WHERE rate > 'param'

40 'OR' 1 '=' 1,

SELECT * FROM blah WHERE rate > '40' OR '1'='1

1 = 1 , .

+1

Jim Dec 23 '10 at 10:45

source share

m.edmondson · Accepted Answer · 2010-12-23T10:41:29+0000

, SQL Injection

. :

select *
from products
where productID = '[some parameter]'

, , 40 '' 1 '=' 1, :

select *
from products
where productID = '40' OR '1'='1'

1 = 1,

- . .

40 'OR' 1 '=' 1, is it prone to sql injection?

More articles: