0

So i was busy playing around with the python module MySQLdb and looking
at sql injection.

import MySQLdb
def hack(name):
    db=MySQLdb.connect('xxx','xxx','xxx','xxx')
    cursor=db.cursor()
    sql="SELECT * FROM PLAYERS WHERE NAME = %s" %(name)
    print sql
    cursor.execute(sql)
    print cursor.fetchall()

i entered
Hack("'pete' OR '1'='1'")

results were:
SELECT * FROM PLAYERS WHERE NAME = 'pete' OR '1'='1'
and the entire database of players showed up

but when i entered '%s' in the sql statement
results were:
SELECT * FROM PLAYERS WHERE NAME = ''pete' OR '1'='1''
with an error message.

So just to ask, adding '' to %s treats the entire user input as a string and not a sql query?

2
Contributors
2
Replies
3
Views
5 Years
Discussion Span
Last Post by woooee
0

Also a friend suggested that the sql is still not secure. said that i need to sanitize %(name)??

0

SELECT * FROM PLAYERS WHERE NAME = ''pete' OR '1'='1''
with an error message

There is a syntax error here that has nothing to do with MySQL or injection. Your query breaks down into
''
pete
' OR '
1
'='
1
'
In the future please include the entire error message if you want some help.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.