Member Avatar for Zeref

So i was busy playing around with the python module MySQLdb and looking
at sql injection.

import MySQLdb
def hack(name):
    db=MySQLdb.connect('xxx','xxx','xxx','xxx')
    cursor=db.cursor()
    sql="SELECT * FROM PLAYERS WHERE NAME = %s" %(name)
    print sql
    cursor.execute(sql)
    print cursor.fetchall()

i entered
Hack("'pete' OR '1'='1'")

results were:
SELECT * FROM PLAYERS WHERE NAME = 'pete' OR '1'='1'
and the entire database of players showed up

but when i entered '%s' in the sql statement
results were:
SELECT * FROM PLAYERS WHERE NAME = ''pete' OR '1'='1''
with an error message.

So just to ask, adding '' to %s treats the entire user input as a string and not a sql query?

  • 2 Contributors
  • 2 Replies
  • 277 Views
  • 22 Hours Discussion Span
  • Latest Post Latest Post by woooee

Recommended Answers

All 2 Replies

Member Avatar for Zeref

Also a friend suggested that the sql is still not secure. said that i need to sanitize %(name)??

Member Avatar for woooee

SELECT * FROM PLAYERS WHERE NAME = ''pete' OR '1'='1''
with an error message

There is a syntax error here that has nothing to do with MySQL or injection. Your query breaks down into
''
pete
' OR '
1
'='
1
'
In the future please include the entire error message if you want some help.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.