Member Avatar for Jack_9

Hello fellow python lovers of daniweb.com. This isn't as much a question as much as the fact that I want to see how different people would go about using python to inject an SQl database. I made a script were you can access the ip and run a command. NOTE:Obviously I didn't give an actual database. Who am I kidding you guys aren't stupid. Here's my injection script

import MySQLdb

db = MySQLdb.connect(host="localhost", # your host, usually localhost
                     user="USER", # your username
                      passwd="PWD", # your password
                      db="MySQLdb") # name of the data base

# you must create a Cursor object. It will let
#  you execute all the queries you need
cur = db.cursor()
  • 4 Contributors
  • 4 Replies
  • 8K Views
  • 3 Years Discussion Span
  • Latest Post Latest Post by phoenix079

Recommended Answers

All 4 Replies

Member Avatar for Schol-R-LEA

Actually, you've misunderstood what the term 'SQL injection' means, and fortunately for you, your script doesn't involve any. All your code does is open a connection to a MySQL database server and create a cursor, the basic steps interacting with a database.

SQL injection is a (bad) way of building a SQLquery string, in which user input is inserted directly to a text query string and then executed:

name = raw_input("What is your name?")
cur.execute("SELECT * FROM Students WHERE Name = '%s';" % name)

The reason this is a bad idea is the same reason while it was a bad idea to use input() in Python 2.x: because the user could put anything into the input, not just their name, and the 'data' will get executed along with the query. For example, if I entered Robert'; DROP TABLE Students; --, the final query string would read

"SELECT * FROM Students WHERE Name = 'Robert'; DROP TABLE Students; --';"

which would wreak havoc on the database.

The way to avoid SQL injection is to use a prepared statement, which is a feature of the database that vetts the data automatically for you, making the above scenario less likely.

name = raw_input("What is your name?")
cur.execute("SELECT * FROM Students WHERE Name = %s;", (name))

This may seem like a trivial difference, but when using the prepared statement, the database checks the validity of the interpolated data, making sure that the cannot execute undesireable code.

BTW: the mysqldb library hasn't been updated since June 2013, and only works with Python 2.x. The preferred way to interact with MySQL nowadays is the MySQL Connector/Python, which is provided by the MySQL team themselves.

Member Avatar for David W

or? .... could use latest Python 3 with:

import sqlite3

Member Avatar for Schol-R-LEA

Except that SQLite is a completely different database system.

Member Avatar for phoenix079

Hi,
I tried to mimic your code in my toy database but apparently I'm getting this error
mysql.connector.errors.InternalError: Unread result found after executing the command. I know this error is caused by not using buffered cursor reader, but even after doing so db.cursor(buffered=True), the error didn't go away. I managed to exploit my code with simpler inputs like anything OR 'x'='x' but executing a whole new command did not seem to work in this way, atleast in my case. I was wondering if you ran the code by yourself and tested it.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.