You can see every SQL command which your mysql database receives.
In your mysql interface you can set where the log file will be written to and then turn on the logging option (change log filename as applicable):
set global general_log_file = ‘/var/log/mysql.log’;
set global general_log = ‘ON’;
(to see the value of these variables type:
show global variables where variable_name like ‘general_log%’;
in your mysql interface)
tail -f /var/log/mysql.log
and you’ll see every new SQL statement which the database receives.
And of course to turn it all off again type this in the :
set global general_log = ‘OFF’;
This carries on from the SQL injection article. The previous example was a slightly contorted result since I was using information that I knew about the database and the results returned were appearing in the page. I was just trying to introduce the concepts. Now here I’m introducing automated blind SQL injection. Source code for this article is avaiable in a zip file.
I’m going to create the worst blogging software in the world, consisting of a single web page displaying a list of comments and where users can post new comments or search for comments. The data will be stored in a MySQL database. The site is going to have horrendous security flaws (on purpose). Then I’m going to hack it’s innermost secrets just through the web page. Then I’ll show you how to make it secure.