User talk:73.161.191.57

Hexation deletion:

I do wish Wikipedia would ask for an e-mail address if you don't have an account so when something like the "(citation needed)" comes up - Wikipedia could automatically send a message to the person so they can update the information. This is just - I don't know - a wish for the wishlist?

Anyway - The reason hexation (a self-coined term) works is because of how MySQL (or any SQL database program) works. Instead of just inserting the unhexed code into the SQL statement, what happens is that the SQL database creates a temporary variable to hold the unhexed string. When the SQL command is then executed the string is only treated as data and is not interpreted. This is what circumvents the SQL injection attempt. It is similar to doing the following:

set @temp=unhex(); select * from &lt;TABLE&gt; where id=@temp;

The reason an SQL injection works is because the string is inserted directly into the SQL request which then the entire SQL request gets interpreted. It is the interpretation part that causes the SQL injection to work.

Example:

select * from &lt;TABLE&gt; where id='123' or 1=1; #'

(Note that the "#" is the comment symbol in MySQL.) When people usually create the SQL statement (in PHP) they usually just say:

$sql = "select * from &lt;TABLE&gt; where id=$myID";

It is the usage of the "$myID" variable which contains the SQL injection from the hacker that causes the problem. By changing that to:

$sql = "select * from &lt;TABLE&gt; where id=unhex('" . bin2hex($myID) . "')";

You eliminate the SQL injection problem.

Take the following program as an example:

connect_errno ){ echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") ". $mysqli->connect_error; exit; }   echo "SQL INJECTION - Plain\n"; $sql = "select * from log where log_id='2' or 1=1; #'"; $res = dosql( $sql ); foreach( $res[0] as $k=>$v ){ echo "RES[$k] = $v\n"; }

echo "\n\nSQL INJECTION = Hexation\n"; $sql = "select * from log where log_id=unhex('" . bin2hex("2' or 1=1; #") . "')"; $res = dosql( $sql ); foreach( $res[0] as $k=>$v ){ echo "RES[$k] = $v\n"; }

exit; ?> query( $cmd );

$res = $mysqli->query( $sql ); if( !$res ){ $ary = debug_backtrace; if( isset($ary[1]) ){ $a = $ary[1]['line']; } else if( isset( $ary[0]) ){ $a = $ary[0]['line']; } else { $a = "???"; }

echo "ERROR @ ". $a. " : (" . $mysqli->errno . ")\n". $mysqli->error. "\n\n"; echo "SQL = $sql\n"; exit; }

if( preg_match("/insert/i", $sql) ){ return $mysqli->insert_id; } if( preg_match("/delete/i", $sql) ){ return null; } if( !is_object($res) ){ return null; }

$cnt = -1; $ary = array; $res->data_seek(0); while( $row = $res->fetch_assoc ){ $cnt++; foreach( $row as $k=>$v ){ $ary[$cnt][$k] = $v; } }

return $ary; }

This outputs:

SQL INJECTION - PLAIN RES[log_id] = 1 RES[date] = 2015-03-25 10:40:18 RES[entry] = show full columns from &lt;TABLE&gt;

SQL INJECTION = Hexation RES[log_id] = 2 RES[date] = 2015-03-25 10:40:18 RES[entry] = select * from &lt;TABLE&gt; order by title asc

Note that the PLAIN SQL injection actually works - the first record is returned and not the second. But with the Hexation put in the correct record is returned. Thus, by using the UNHEX command you no longer have to worry about SQL Injection attacks because it works.

Please restore this as it is really important that people know how to prevent SQL Injections to their databases.

Please note that >THIS< is the reference. You can try this with any type of incoming information and it will always work. So there isn't a citation per se as all you have to do is to try this out for yourself and you can see it works.

By: markem-AT-sim1-DOT-us 66.196.239.162 (talk) 16:27, 25 March 2015 (UTC)