0

I'm creating a test project for my classmates to show how php code with unchecked variables is dangerous. I'm using the deprecated mysql_* function and a simple database with 2 tables:

users  
data

and in the users I have just the admin user.

I have created a simple html form:

    <form action="login" method="POST">
    username: <input type="text" name="username">
    password: <input type="text" name="password">
<input type="submit" value="login">
    </form>

and the login.php page simply get the post data and build the query like this:

$uname = strtolower(trim($_POST['username']));
    $passw = strtolower(trim($_POST['password']));

$result = mysql_query("
    SELECT *
    FROM users
    WHERE username='".$uname."' and password=MD5('".$passw."')"
    );
if(mysql_num_rows($result) != 1){
        echo "Non valid";
    }else{
        echo "Logged in";
    }

and this is my input on username field:

&#39; or 1=1 --&#32;

that should produced a query like:

SELECT * FROM users WHERE username='' or 1=1 -- ' and password=MD5('')

if I run this query on SequelPro or PhpMyAdmin the query give me the first row of the table so it works. But if I submit the form the result is Not valid.

I tried also to use the password field with this input:

&#39;) or 1=1 --&#32;

and this is the query generated:

SELECT * FROM users WHERE username='' and password=MD5('') or 1=1 -- ')

but the result is the same, it works on SequelPro but not in the form.

I think that the mysql_query function will not recognize the -- comment. Am I right?
What I'm doing wrong?

Improve this question
7
  • Please post the exact error you are receiving from executing the query via mysql_query(). Commented Oct 12, 2013 at 10:31
  • @Christian: can you check the number of rows in table users. If there is more than one, see my answer below - otherwise I've to resign ;) Commented Oct 12, 2013 at 10:36
  • Ciao Christian, did you tried to limit 1 your query? Are you sure that your code will return only a row? Commented Oct 12, 2013 at 11:06
  • @Your Common Sense, your comment is unuseful, I'm studing this stuff, it's my first approach and my teacher asked me to prepare a demo to understand if I'm able to study something that he doesn teach already, so please any help is appreciate, no sarcasm Commented Oct 12, 2013 at 12:43
  • I wouldn call it sarcasm but rather bitterness. If he didn't teach you debugging, he isn't a teacher at all, but rather commonplace cargo cult preacher. If he did - you have to study what you have taught first. Commented Oct 12, 2013 at 12:48

1 Answer 1

Reset to default
1

try this in username field :

' or 1=1 or '

and enter password whatever you want. don't forget about space after ' s. it turns your code like that:

mysql_query("select * from users where username='' or 1=1 or '' and 
password=".md5('$pass'))

and it always returns true.

it MUST work, if it doesnt, do this :

echo "
    SELECT *
    FROM users
    WHERE username='".$uname."' and password=MD5('".$passw."')";

and post the result as comment for me , maybe I could help you

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Same result as my tests, the query works in SequelPro but not in mysql_query. I have used &#39; or 1=1 or &#39;&#32; as username and hello as password and the echo returns: SELECT * FROM users WHERE username='' or 1=1 or ' ' and password=MD5('hello')
oh, you should put MD5() in the '' , try this and let me know what happened

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.