2

I'm currently testing Vulnerabiltys to SQL Injections for my companys application as an it-trainee.

So I found, that the application is indeed vulnerable to injections because I can alter some of the insert statements.

So I altered the insert Statement to this:

INSERT INTO tablename( column, column1, column2, column3, column4,column5, column6, column7, column8 ) 
VALUES ( 10965972, 185796154, 25, 23,2023, '', CURRENT_DATE, 'v0201100',
18); 

DELETE * 
  FROM tablename;-- , 2023,'a', CURRENT_DATE, 'v0201100', 18 )

I thought this should be a correct statement, but the MySQL Server returned this Error: MySQL Error: 1064 (You have an error in your SQL syntax;[...]

Would be nice if somebody could help and tell my why the syntax is wrong...

Thanks for your help :-)

Edit: Thanks for all your answers. :) Unfortunatly the * wasn't the Problem. I tried to execute the statement (statement is executed by php) without the delete part so the statement looks like this:

[...] VALUES( 10963455, 182951959, 23, 23,2023, '', CURRENT_DATE, 'v0201100', 18)--, 2023, '', CURRENT_DATE, 'v0201100', 18 )

But even then the MySQL Server returned the Same Error. Here is the Full Error Message:

MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '--, 2023, '', CURREN' at line 17) Session halted.

Would really appreciate it if anyone knew the problem.

Improve this question
2
  • Hi freddy, welcome to SO. Tell us what "engine" executes the query (i.e. PHP). Also, in MySQL's error message, [...] actually tells you where the error is. Can you provide that too? Commented Jan 4, 2011 at 12:31
  • The comment itself should be valid, but perhaps it needs a space between the statement and the comment. Commented Jan 4, 2011 at 20:07

7 Answers 7

Reset to default
5

If that sample chunk of query is executed in a SINGLE ->query() call, MySQL's driver doesn't allow multiple queries within a single query call. It eliminates the bobby tables type injection attacks, but doesn't prevent injecting values that would manipulate where clauses and whatnot.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

+1. Like this answer. Didn't realise you could do this. I wonder if there is an alternative in .NET land...
5

Having a look at the MySQL spec for DELETE, there is no suggestion that you can include * immediately proceeding the DELETE statement. Try removing it.

The * is used in a select statement to select all columns. Specifying it here makes no sense, as you are deleting rows.

I believe the -- commented-out line will be ignored by the parser (I would certainly expect it to be), so that bit of code should be ok. If in doubt remove it as a test.

Improve this answer

1 Comment

It seems the -- really is the problem. It tried to use # and /* but that doesn't work either
0

When I split your sql statement on multiple lines using ; as seperator, I get:

1) VALUES( 10965972, 185796154, 25, 23,2023, '', CURRENT_DATE, 'v0201100', 18);
2) DELETE * FROM tablename;
3) -- , 2023, 'a', CURRENT_DATE, 'v0201100', 18 )

To me, 3) doesn't look like valid sql to me...

Improve this answer

2 Comments

It's a comment, so it's valid SQL.
I believe that is a valid MySQL comment and will be ignored.
0

MySQL doesn't allow a delete query without a where statement. You can use:

DELETE * FROM tablename WHERE 1 = 1

You may also have to remove the * after delete, it doesn't look like MySQL supports that.

Improve this answer

6 Comments

Are you sure? In the Docs linked to from James's answer it says [WHERE where_condition] I thought square brackets meant not required.
Is that so? The spec for DELETE (dev.mysql.com/doc/refman/5.0/en/delete.html) implies that it is optional.
I thought DELETE FROM tablename would be enough for deleting everything. You cannot delete just one column...
@Martin, James: It seems that this restriction has been dropped somewhere along the way. Earlier versions definitely had it.
The restriction applies to MySQL's safe-mode. If enabled you weren't allowed to do updates or deletes without a where clause. To prevent accidentally destroying your entire table. I don't know if the option is still available but statements without a where clause are valid.
|
0

@freddy: DELETE * FROM tablename should be DELETE FROM tablename.

Improve this answer

Comments

0

ANSI SQL definition for DELETE statements does not include an asterix *

Try, DELETE FROM tablename

Improve this answer

Comments

-1

Additionally you are using a SQL-Injection. The reason why SQL-Injections are possible at your company is a secret (just use preapred statements), but this isn't the question. Most SQL-Injections are caused by using mysql_query() without filtering/escaping. mysql_query() allows only 1 query. There has to be mysql_multi_query() if this should work. Modifying data in SELECT-Statements is prohibited by MySQL.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.