We're a community of 1077K IT Pros here for help, advice, solutions, professional growth and fun. Join us!

1,076,154 Members — Technology Publication meets Social Media

Start New Discussion Reply to this Discussion

Ad: HelpDesk or Customer Support

0

Sql injection and mysqldb

So i was busy playing around with the python module MySQLdb and looking
at sql injection.

import MySQLdb
def hack(name):
    db=MySQLdb.connect('xxx','xxx','xxx','xxx')
    cursor=db.cursor()
    sql="SELECT * FROM PLAYERS WHERE NAME = %s" %(name)
    print sql
    cursor.execute(sql)
    print cursor.fetchall()

i entered
Hack("'pete' OR '1'='1'")

results were:
SELECT * FROM PLAYERS WHERE NAME = 'pete' OR '1'='1'
and the entire database of players showed up

but when i entered '%s' in the sql statement
results were:
SELECT * FROM PLAYERS WHERE NAME = ''pete' OR '1'='1''
with an error message.

So just to ask, adding '' to %s treats the entire user input as a string and not a sql query?

2

Contributors

2

Replies

16 Hours

Discussion Span

1 Year Ago

Last Updated

3

Views

Light Poster

27 posts since Mar 2011

Reputation Points: 10

Solved Threads: 1

Skill Endorsements: 0

0

Also a friend suggested that the sql is still not secure. said that i need to sanitize %(name)??

Light Poster

27 posts since Mar 2011

Reputation Points: 10

Solved Threads: 1

Skill Endorsements: 0

0

SELECT * FROM PLAYERS WHERE NAME = ''pete' OR '1'='1''
with an error message

There is a syntax error here that has nothing to do with MySQL or injection. Your query breaks down into
''
pete
' OR '
1
'='
1
'
In the future please include the entire error message if you want some help.

Posting Maven

2,707 posts since Dec 2006

Reputation Points: 827

Solved Threads: 779

Skill Endorsements: 9

This article has been dead for over three months: Start a new discussion instead

You

Software Development > Python

© 2013 DaniWeb® LLC

Page rendered in 0.0822 seconds using 2.67MB