SQL injection with python

Question

Jack_9 -4 Junior Poster

10 Years Ago

Hello fellow python lovers of daniweb.com. This isn't as much a question as much as the fact that I want to see how different people would go about using python to inject an SQl database. I made a script were you can access the ip and run a command. NOTE:Obviously I didn't give an actual database. Who am I kidding you guys aren't stupid. Here's my injection script

import MySQLdb

db = MySQLdb.connect(host="localhost", # your host, usually localhost
                     user="USER", # your username
                      passwd="PWD", # your password
                      db="MySQLdb") # name of the data base

# you must create a Cursor object. It will let
#  you execute all the queries you need
cur = db.cursor()

python

4 Contributors
4 Replies
8K Views
3 Years Discussion Span
Latest Post 6 Years Ago Latest Post by phoenix079

Schol-R-LEA 1,446 Commie Mutant Traitor

10 Years Ago

Actually, you've misunderstood what the term 'SQL injection' means, and fortunately for you, your script doesn't involve any. All your code does is open a connection to a MySQL database server and create a cursor, the basic steps interacting with a database.

SQL injection is a (bad) way of building a SQLquery string, in which user input is inserted directly to a text query string and then executed:

name = raw_input("What is your name?")
cur.execute("SELECT * FROM Students WHERE Name = '%s';" % name)

The reason this is a bad idea is the same reason while it was a bad idea to use input() in Python 2.x: because the user could put anything into the input, not just their name, and the 'data' will get executed along with the query. For example, if I entered Robert'; DROP TABLE Students; --, the final query string would read

"SELECT * FROM Students WHERE Name = 'Robert'; DROP TABLE Students; --';"

which would wreak havoc on the database.

The way to avoid SQL injection is to use a prepared statement, which is a feature of the database that vetts the data automatically for you, making the above scenario less likely.

name = raw_input("What is your name?")
cur.execute("SELECT * FROM Students WHERE Name = %s;", (name))

This may seem like a trivial difference, but when using the prepared statement, the database checks the validity of the interpolated data, making sure that the cannot execute undesireable code.

BTW: the mysqldb library hasn't been updated since June 2013, and only works with Python 2.x. The preferred way to interact with MySQL nowadays is the MySQL Connector/Python, which is provided by the MySQL team themselves.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

David W 131 Practically a Posting Shark · Answer 1 · 2014-10-08T18:38:17+00:00

or? .... could use latest Python 3 with:

import sqlite3

Schol-R-LEA 1,446 Commie Mutant Traitor Featured Poster · Answer 2 · 2014-10-08T22:32:35+00:00

Except that SQLite is a completely different database system.

phoenix079 0 Newbie Poster · Answer 3 · 2018-05-30T18:51:30+00:00

Hi,
I tried to mimic your code in my toy database but apparently I'm getting this error
mysql.connector.errors.InternalError: Unread result found after executing the command. I know this error is caused by not using buffered cursor reader, but even after doing so db.cursor(buffered=True), the error didn't go away. I managed to exploit my code with simpler inputs like anything OR 'x'='x' but executing a whole new command did not seem to work in this way, atleast in my case. I was wondering if you ran the code by yourself and tested it.