First off, I'm not trying to hack or do anything illegal. I thought I know what you know. I have a client who wants me to make some changes to my system when I look at it. I notice that NOTHING has slipped away. I'm not joking, nothing is slipping away. I explained to him that it is unstable to have such a system. Then he continues to tell me that he had had such a system for several years, and nothing happened. I need to show him that his system is unsafe, but I really donβt know how to perform SQL injection. Here are a few queries that use $ _GET and are not escaped.
SELECT *,DATE_FORMAT(joined,'%M %d, %Y') as \"Joined\" FROM `members` WHERE `name` LIKE '".$ltr."%' ORDER BY points DESC LIMIT $page,50
Here's another one:
SELECT * FROM groups WHERE id=$thisladder[grid]
The only thing I can see is that $ _GET can be cleared by this function:
if (!ini_get('register_globals')) { $superglobals = array($_SERVER, $_ENV, $_FILES, $_COOKIE, $_POST, $_GET); if (isset($_SESSION)) { array_unshift($superglobals, $_SESSION); } foreach ($superglobals as $superglobal) { extract($superglobal, EXTR_SKIP); } }
It is possible that the above function may sanitize variables. And yes, the system also uses register global variables, which is also bad.
I also made a backup just in case.
user962449
source share