Jump to content

I am missing something with SQL injection


gostbuster

Recommended Posts

Hi guys, 

 

I know that prestashop is protected against SQL injections, I read that on forums and have no probleme trusting that point. But I was playing with code I there is a basic thing I should miss, but I'm able to do a SQL injection, at least to get hacked result from the database.

 

Imagine I hava a customer table like : customer(id, username,email,firstname,lastname)

 

And on the other hand a form asking for username (field added and classe overrided) and email (to get firstname and lastname)

 

The code for sql request should be :

 

$query = new DbQuery();
$query->select('firstname');
$query->from('customer');
$query->where('username = "'.(string)$username.'"');
$query->where('email = "'.(string)$email.'"');

return Db::getInstance(_PS_USE_SQL_SLAVE_)->getValue($query);

 

 

In the form I Typed :

 

login : testuser

password: " OR '1' = '1' OR ""="

 

The SQL query passed to the server is :

 

SELECT firstname,lastname 
FROM `vdh_customer`
WHERE (username = "testuser") AND (email = "" OR '1' = '1' OR ""="")

 

And gives me back result....

 

Is that considered as SQL INJECTION ? Or Am I doing something really bad like a newbie ?

 

Thanks for your advices, I'm getting lost with that and troubling my mind.

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...