2

I have written a code in php which enables an admin to login. The password info is fetched from the table. I know it is not a good practice to write such kind of code and i should use prepared statement or mysqli_ but i just want to learn about sql query vulnerability. I just want to know how my code is vulnerable to SQL injection ? How can i bypass the password restriction. I tried inputting password = 'anything' OR 'x'='x' in the password field but it is not bypassing it. This is my code:-

if(isset($_POST["Submit"]))
{
include 'db_connect.php';   
$user=$_POST['user'];
$pass=$_POST['pass'];
$checkquery="select * from adminlogin where password='$pass' ";
$queryex= mysql_query($checkquery);
$row= mysql_fetch_array($queryex);
$checkcasepass = $row['password'];
if($user=='admin' && strcmp($checkcasepass,$pass)==0)
{
setcookie("admin",$user);
setcookie ("student", "", time() - 3600);
header("location: admin option.php");
}
else
{
echo  "Sorry User Name and Password is Wrong";
}
}

I changed my query string to this for testing purpose:-

$checkquery="select * from adminlogin where password='$pass' OR 1=1 ";

but it didn't work. Can it be due to magic quotes ? But I am using PHP 5.4.3 and magic quotes is already depreciated. I am wondering why SQL injection is not working. ?

Improve this question
5
  • 1
    You should use PDO if you can help it, mysql_* functions are officially deprecated. Learn about prepared statements instead, and use PDO or MySQLi. Check out this comparison and if you choose PDO, here is a good tutorial. Commented May 3, 2013 at 16:33
  • @dirt Whilst you are very correct to state this, the user specifically says they understand that and want to understand how injection works Commented May 3, 2013 at 16:43
  • why don't you just echo the resulting query and post it here? Commented May 3, 2013 at 16:48
  • 1
    why am i downvoted ??? I just want to understand how sql injection works. I always use PDO's in my project. Commented May 3, 2013 at 16:48
  • Here's an explanation: bobby-tables.com/about.html Commented May 3, 2013 at 16:59

2 Answers 2

Reset to default
1

The way you choose to test for injection is wrong.

This code allows an injection all right, but verification code does check not number of rows found but returned value.

But again, speaking of SQL injection - it is fine with this code, injected all right.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Yup! I got it when i carefully examined the code. It is injecting but the code matches the value of the string with the column value that is fetched in the query.
1

Change 'anything' OR 'x'='x' to anything' OR 'x'='x The leading ' and trailing ' are already there, in effect the query you are trying will look like

select * from adminlogin where password=''anything' OR 'x'='x''

which isn't valid SQL

Improve this answer

10 Comments

Getting this using var_dump :- string 'select * from adminlogin where password='anything' OR 'x'='x' ' (length=62)
Getting this:- string 'select * from adminlogin where password='anything' OR 1=1' ' (length=59)
You have to comment out the rest of the string, like I pointed out in my example. You must do anything' OR 'x'='x';--
@Jonast92 no need to comment on for 'x' = 'x as select * from adminlogin where password='anything' OR 'x'='x' from the var_dump is valid SQL
If he wants to ignore the password part then he must. But my bad, he's only checking with 1 input instead of 2. (only checking for password, not useername aswell).
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.