954,515 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article

Sql injection and mysqldb

So i was busy playing around with the python module MySQLdb and looking
at sql injection.

import MySQLdb
def hack(name):
    db=MySQLdb.connect('xxx','xxx','xxx','xxx')
    cursor=db.cursor()
    sql="SELECT * FROM PLAYERS WHERE NAME = %s" %(name)
    print sql
    cursor.execute(sql)
    print cursor.fetchall()

i entered
Hack("'pete' OR '1'='1'")

results were:
SELECT * FROM PLAYERS WHERE NAME = 'pete' OR '1'='1'
and the entire database of players showed up

but when i entered '%s' in the sql statement
results were:
SELECT * FROM PLAYERS WHERE NAME = ''pete' OR '1'='1''
with an error message.

So just to ask, adding '' to %s treats the entire user input as a string and not a sql query?

Zeref
Newbie Poster
19 posts since Mar 2011
Reputation Points: 10
Solved Threads: 1
 

Also a friend suggested that the sql is still not secure. said that i need to sanitize %(name)??

Zeref
Newbie Poster
19 posts since Mar 2011
Reputation Points: 10
Solved Threads: 1
 
SELECT * FROM PLAYERS WHERE NAME = ''pete' OR '1'='1'' with an error message


There is a syntax error here that has nothing to do with MySQL or injection. Your query breaks down into
''
pete
' OR '
1
'='
1
'
In the future please include the entire error message if you want some help.

woooee
Nearly a Posting Maven
2,454 posts since Dec 2006
Reputation Points: 777
Solved Threads: 714
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
View similar articles that have also been tagged: