Creating an SQL injection

Hello,

first of all i apologize if this is a very basic question, but i only started playing with Elixir last week, and my knowledge of Elixir and Phoenix is minimal.

I am creating a webapp based on Elixir / Phoenix that is on purpose vulnerable to several web attacks. What i am trying to achieve now is a basic SQL Injection, but it seems that Phoenix is using parameterized queries which makes it impossible to have an SQL injection.

The code so far looks like this:

content = Ecto.Adapters.SQL.query!(
          MyApp.Repo, "SELECT name,data from contents WHERE name=$1", [params["name"]]
       )

If i execute the code with a typical SQL injection string like ' OR '1' = ‘1then Phoenix replies with:

SELECT name,data from contents WHERE name=$1 ["’ OR ‘1’ = ‘1"]
[]

If i execute the code with some valid name, then i see this:

SELECT name,data from contents WHERE name=$1 [“Per”]
[[“Per”, “This is a test”]]

Which is what i would expect from this query.
So, my question is, is there a way to write the query code to make this SQL injection viable?

In Python, it was as simple as:

if request.method == 'POST':
        input = request.POST.get('input')
        query = "SELECT * from levels_content WHERE name = '%s'" % input
        result = Content.objects.raw(query)

Again apologies if this is a very basic question, and thanks in advance for the help

You probably want to drop down to a lower level library like :postgrex so that you can create injectable queries by hand?

Hey,

i checked here: https://hexdocs.pm/postgrex/Postgrex.html#query/4 for query/4 and it seems that passing attributes as parameters is mandatory - at least this is what i understand from this example:

Postgrex.query(conn, "SELECT id FROM posts WHERE title like $1", ["%my%"])

Ideally i would like to do some string interpolation, and end up with something like:
Postgrex.query(conn, "SELECT id FROM posts WHERE title like #{input}")

input being what i received from the HTML form

You can do the same using Ecto itself:

MyApp.Repo.query("SELECT id FROM posts WHERE title like #{input}", [])

Thanks, that did the trick, here is the final line:

    name = params["name"]
    content = Ecto.Adapters.SQL.query!(
      ElixirTrustlyctf.Repo, "SELECT name,data from contents WHERE name=\'#{name}\'", []
    )

Cheers