how to test with sql Injection

Question

how to test with sql Injection

Asked 8 years, 2 months ago

Viewed 6,093 times

0

I want to do some tests of sql Injection. For this, I created a db called person and a table called users. I am passing some sql statements to test the ingestion of sql. Gives error, but does not execute the query:

connection file with the bank:

php connection.

$server="localhost";  
$user="root";  
$password="";  
$database="pessoa";  

//conexao com servidor de banco  
$connect = mysql_connect($server, $user, $password) or print(mysql_error());  

//se a conexao falhar  
if (!$connect) {  
echo "Conexão com servidor errou";    
}  

else {  
    //usar database  
$selectDB = mysql_select_db($database, $connect);     

//se database falhar  
    if (!$selectDB) {  
echo "Conexão com o banco errou";     
    }  
}

index file.html

<html>  
<body>  

<form name="buscar" id="buscarId" action="server.php" method="post">  

<label for="Nome">Nome</label>  
<input type="text" name="nome" id="nomeId">  

<input type="submit" value="Buscar">  
</form>  >
</body>  
</html>

php server file.

<?php  

include('connect.php');  

buscar();  

function buscar() {  
   echo "<p>";  
   $select = "select * from usuarios where nome='$_POST[nome]'";      
   $query = mysql_query($select);  
   $rows=mysql_num_rows($query);  

   if ($rows==0) {  
      echo "Nome não encontrado";  
   } else {   
      while ($dados=mysql_fetch_array($query)) {  
         print_r($dados);  
      }  
   }  
}  
?>

In the form that searches by name, instead of giving the name, I put a query:

select * from users

of course this is not a command for the bank, it is a search because it is in single or double quotes:

select * from usuarios

makes the mistake:

( ! ) Warning: mysql_num_rows() expects Parameter 1 to be Resource, Boolean Given in path folder.

I’ve already done:

$select = "select * from usuarios where nome='.$_POST[nome].'";

threshing gets:

select * from usuarios where nome='.select * from usuarios.', ou seja, não executa o que está em $_POST;

And I also made:

$select = 'select * from usuarios where nome=$_POST[nome]';  

Também não funciona. Só não entendi porque tem que concatenar.

2

Required link: http://xkcd.com/327/

– Oralista de Sistemas

2016/05/05 at 14:49

2 answers

Browser other questions tagged php sql-injection

You are not signed in. Login or sign up in order to post.

by Oralista de Sistemas • **23,115** points · Answer 1 · 2016-05-05T14:39:52+00:00

When you say:

"select * from usuarios where nome='$_POST[nome]'"

You are sending the following command to the database:

select * from usuarios where nome='$_POST[nome]'

If you want to concatenate the contents of a variable into the string, do so instead:

"select * from usuarios where nome='" . $_POST[nome] . "'"

~~(or how you PHP programmers make your concatenations ;) )~~ (Thanks guys for showing me what PHP concatenation is with dot!)

So the PHP engine will not consider the snippet $_POST[nome] as a literal string.

Good luck!

by rray • **66,288** points · Answer 2 · 2016-05-05T14:45:22+00:00

mysql_num_rows() expects Parameter 1 to be Resource, Boolean Given

It happens due to an error in the query, usually syntax, to say your code, first close select, add the terminator and send a new instruction (drop/trucate/delete etc).

The content of $_POST['nome'] must be '; delete from usuarios;

Example, with an updated driver (PDO) but using inappropriate techniques, the value of $_GET['id'] is in this example ; drop table livros. See the result the book information is displayed on the screen but the table no longer exists.

<?php
$db = new PDO('mysql:host=localhost;dbname=teste', 'usuario', 'senha');
$sql = 'SELECT * FROM livros WHERE id = '.$_GET['id'] ;
$stmt = $db->query($sql) or die(print_r($db->errorInfo()));
print_r($stmt->fetchAll(PDO::FETCH_ASSOC));

Related:

Using addslashes against SQL injection is safe?

How to prevent SQL code injection into my PHP code