I was reading the tutorial on hardening a php web server. In it they show an exploit with an SQL enjection:

If they user types: in the username field box the code would look like:

What I don't understand is how does just one apostrophe make Username = '".$_POST['username']."' into Username = ''? To me,with variable expansion in a even set of single quotes would make a total of 3 quotes with: Username = '''.

The hash makes it end up as "SELECT Username, Password FROM Users WHERE Username = '' OR 1=1"?

I am going to add a short addendum to this thread because the code example makes me nervous and I want to be sure that we've properly explained what is happening so that someone doesn't read it and use it the code. This isn't directed so much at the OP, but for anyone who comes along and reads this thread and doesn't fully understand it.

In the original post query, the PHP code had:
Obviously the intent is to compare the field Username to the value that the client entered. The client data is read through the use of the superglobal $_POST and this example is meant to demonstrate an easy but serious flaw in site design. The superglobal variables contain the text as entered by the client; it has not been filtered. In this example, the exploit short circuits the query with the ' and then adds an OR TRUE statement. Since the latter part becomes true, the query then becomes select the username and password database.

What the tutorial is undoubtedly going to show you is that you need to change how the superglobal data is handled. For example:

Then perform checks on these two fields to verify their legitimacy. This can be handled in several ways and is usually a source of confusion to new PHP programmers. The validations should make sure that it contains only allowed letters, numbers, and symbols, contains no special "escape" sequences, etc, and should also verify and truncate the length to a safe value. This can be done with the filters function, or manually. When possible it is better to compare the user input against expected values and select from those instead of using the input directly. The bottom line is that user input should NEVER be used directly.

In terms of passwords, you should consider using a hash such as an MD5 or SHA1. By saving the hashes, you 1) ensure that only valid alphanumeric values of proper length are stored in your database, 2) don't have the raw passwords for someone to steal, 3) hashing the user input automatically sanitizes it. Just be sure to salt your hash table to thwart the use of rainbow tables.

1 members found this post helpful.

I would like to know how the php interpreter takes one aprostrophe from input and ends up with 2 aprostrohe's in the end result: Username = ''

*Update: nevermind...I see how it plugs in now and is expanded. Brain must be getting rusty.

There is one, and as far as I am concerned only one way to deal with this problem: placeholders.

This is a very standard SQL feature. It works like this. You prepare a query that consists of the string: SELECT Username, Password, UserLevel FROM Users WHERE Username = ?; Notice the not-in-quotes question mark.

Now, when you prepare the query for execution (by whatever means, in whatever language), you separately provide a value to correspond to each placeholder. (The number of placeholders referred-to in the query, and the number of values that you supply, of course must match exactly or the attempt will fail.)

The SQL execution engine first examines the SQL-string to decide how it will do the work (the so-called execution plan). The plan refers to the placeholder values as variables that will be supplied when the query actually runs. (An added benefit of this scheme is that, having prepared the query one time, you can execute it any number of times, supplying different placeholder-values each time. The SQL-string itself is constant.