how to test with sql Injection

Asked

Viewed 6,093 times

0

I want to do some tests of sql Injection. For this, I created a db called person and a table called users. I am passing some sql statements to test the ingestion of sql. Gives error, but does not execute the query:

connection file with the bank:

php connection.

$server="localhost";  
$user="root";  
$password="";  
$database="pessoa";  

//conexao com servidor de banco  
$connect = mysql_connect($server, $user, $password) or print(mysql_error());  

//se a conexao falhar  
if (!$connect) {  
echo "Conexão com servidor errou";    
}  

else {  
    //usar database  
$selectDB = mysql_select_db($database, $connect);     

//se database falhar  
    if (!$selectDB) {  
echo "Conexão com o banco errou";     
    }  
}  

index file.html

<html>  
<body>  

<form name="buscar" id="buscarId" action="server.php" method="post">  

<label for="Nome">Nome</label>  
<input type="text" name="nome" id="nomeId">  

<input type="submit" value="Buscar">  
</form>  >
</body>  
</html>  

php server file.

<?php  

include('connect.php');  

buscar();  

function buscar() {  
   echo "<p>";  
   $select = "select * from usuarios where nome='$_POST[nome]'";      
   $query = mysql_query($select);  
   $rows=mysql_num_rows($query);  

   if ($rows==0) {  
      echo "Nome não encontrado";  
   } else {   
      while ($dados=mysql_fetch_array($query)) {  
         print_r($dados);  
      }  
   }  
}  
?>  

In the form that searches by name, instead of giving the name, I put a query:

select * from users

of course this is not a command for the bank, it is a search because it is in single or double quotes:

select * from usuarios

makes the mistake:

( ! ) Warning: mysql_num_rows() expects Parameter 1 to be Resource, Boolean Given in path folder.

I’ve already done:

$select = "select * from usuarios where nome='.$_POST[nome].'";  

threshing gets:

select * from usuarios where nome='.select * from usuarios.', ou seja, não executa o que está em $_POST;   

And I also made:

$select = 'select * from usuarios where nome=$_POST[nome]';  

Também não funciona. Só não entendi porque tem que concatenar.

2 answers

2

When you say:

"select * from usuarios where nome='$_POST[nome]'"

You are sending the following command to the database:

select * from usuarios where nome='$_POST[nome]'

If you want to concatenate the contents of a variable into the string, do so instead:

"select * from usuarios where nome='" . $_POST[nome] . "'"

(or how you PHP programmers make your concatenations ;) ) (Thanks guys for showing me what PHP concatenation is with dot!)

So the PHP engine will not consider the snippet $_POST[nome] as a literal string.

Good luck!

  • 1

    Signal from + (more) ?

  • 1

    @Zoom I’ve never programmed in PHP in my life and I haven’t even read the manual... All I know about PHP is just looking over the shoulder of my XD colleagues

  • Exchange the + for ., with double variable quotes are interpreted in php :)

0

mysql_num_rows() expects Parameter 1 to be Resource, Boolean Given

It happens due to an error in the query, usually syntax, to say your code, first close select, add the terminator and send a new instruction (drop/trucate/delete etc).

The content of $_POST['nome'] must be '; delete from usuarios;

Example, with an updated driver (PDO) but using inappropriate techniques, the value of $_GET['id'] is in this example ; drop table livros. See the result the book information is displayed on the screen but the table no longer exists.

<?php
$db = new PDO('mysql:host=localhost;dbname=teste', 'usuario', 'senha');
$sql = 'SELECT * FROM livros WHERE id = '.$_GET['id'] ;
$stmt = $db->query($sql) or die(print_r($db->errorInfo()));
print_r($stmt->fetchAll(PDO::FETCH_ASSOC));

Related:

Using addslashes against SQL injection is safe?

How to prevent SQL code injection into my PHP code

  • give an example of what the command would look like. From what I understood, it would be in the form field: "select * from usuarios"; trup table usuarios; that would be it?

  • @Andrénascimento, this or you can do something like or true; the generated select is something like: select * from usuarios where id = 10 or true

  • @Andrénascimento, some banks allow several querys to be executed, separated by ; the mysql_query() runs only one and ignores the rest, test the OR 1=1 or OR true in delete operation.

  • got it. As I’m doing with a string that’s the name, it gets harder. I made it with id and it worked.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.