PHP/MySQL Injection
php_flag magic_quotes_gpc Off
<files reset.sql>
order allow,deny
deny from all
</files>
DROP TABLE IF EXISTS `users`;
CREATE TABLE `users` (
`id` int(11) NOT NULL auto_increment,
`first_name` varchar(255) collate utf8_bin NOT NULL,
`last_name` varchar(255) collate utf8_bin NOT NULL,
`age` int(11) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;
INSERT INTO `users` (`id`, `first_name`, `last_name`, `age`)
VALUES (1, 'Maurits', 'van der Schee', ??)
<?php
$con = mysql_connect("localhost","sqlinject","password");
if (!$con) die("Could not connect: ".mysql_error());
mysql_select_db("sqlinject", $con);
$sql=file_get_contents("reset.sql");
$sqls=explode(";",$sql);
foreach($sqls as $sql)
{ if (!mysql_query($sql,$con)) die("Error: ".mysql_error()." in $sql");
}
echo "database reset complete";
mysql_close($con);
echo "<br/><a href=\"list.php\">list</a>|<a href=\"insert.html\">add</a>";
?>
<html>
<body>
<form action="insert.php" method="post">
First Name<br/>
<input type="text" name="first_name"/><br/>
Last Name<br/>
<input type="text" name="last_name" /><br/>
Age<br/>
<input type="text" name="age" /><br/>
<br/>
<input type="submit" value="Add"/>
</form>
</body>
</html>
<?php
$con = mysql_connect("localhost","sqlinject","password");
if (!$con) die("Could not connect: ".mysql_error());
mysql_select_db("sqlinject", $con);
$sql="INSERT INTO users (first_name, last_name, age)
VALUES ('$_POST[first_name]','$_POST[last_name]','$_POST[age]')";
if (!mysql_query($sql,$con)) die("Error: ".mysql_error()." in $sql");
echo "1 record added";
mysql_close($con);
echo "<br/><a href=\"list.php\">list</a>|<a href=\"insert.html\">add</a>";
?>
<?php
$con = mysql_connect("localhost","sqlinject","password");
if (!$con) die("Could not connect: ".mysql_error());
mysql_select_db("sqlinject", $con);
$sql = "SELECT * FROM users";
$result = mysql_query($sql);
if (!$result) die(mysql_error()." in $sql");
while ($row = mysql_fetch_array($result))
{ echo "<a href=\"view.php?id=$row[id]\">";
echo "$row[first_name] $row[last_name]</a> ";
echo "<a href=\"delete.php?id=$row[id]\">x</a><br/>";
}
mysql_close($con);
echo "<br/><a href=\"list.php\">list</a>|<a href=\"insert.html\">add</a>";
?>
<?php
$con = mysql_connect("localhost","sqlinject","password");
if (!$con) die("Could not connect: ".mysql_error());
mysql_select_db("sqlinject", $con);
$sql = "SELECT * FROM users WHERE id=$_GET[id] LIMIT 1";
$result = mysql_query($sql);
if (!$result) die(mysql_error()." in $sql");
if ($row = mysql_fetch_array($result))
{ echo "First Name: $row[first_name]<br/>";
echo "Last Name: $row[last_name]<br/>";
}
mysql_close($con);
echo "<br/><a href=\"list.php\">list</a>|<a href=\"insert.html\">add</a>";
?>
<?php
$con = mysql_connect("localhost","sqlinject","password");
if (!$con) die("Could not connect: ".mysql_error());
mysql_select_db("sqlinject", $con);
$sql="DELETE FROM users WHERE id=$_GET[id] LIMIT 1";
if (!mysql_query($sql,$con)) die("Error: ".mysql_error()." in $sql");
echo "1 record deleted";
mysql_close($con);
echo "<br/><a href=\"list.php\">list</a>|<a href=\"insert.html\">add</a>";
?>
<?php
$con = mysql_connect("localhost","sqlinject","password");
if (!$con) die("Could not connect: ".mysql_error());
mysql_select_db("sqlinject", $con);
$sql = "SELECT * FROM users WHERE id='$_GET[id]' LIMIT 1";
$result = mysql_query($sql);
if (!$result) die(mysql_error()." in $sql");
if ($row = mysql_fetch_array($result))
{ echo "First Name: $row[first_name]<br/>";
echo "Last Name: $row[last_name]<br/>";
}
mysql_close($con);
echo "<br/><a href=\"list.php\">list</a>|<a href=\"insert.html\">add</a>";
?>
<?php
$con = mysql_connect("localhost","sqlinject","password");
if (!$con) die("Could not connect: ".mysql_error());
mysql_select_db("sqlinject", $con);
$field = mysql_real_escape_string($_GET["field"]);
$value = mysql_real_escape_string($_GET["value"]);
$sql = "SELECT * FROM users WHERE `$field`='$value' LIMIT 1";
$result = mysql_query($sql);
if (!$result) die(mysql_error()." in $sql");
if ($row = mysql_fetch_array($result))
{ echo "First Name: $row[first_name]<br/>";
echo "Last Name: $row[last_name]<br/>";
}
mysql_close($con);
echo "<br/><a href=\"list.php\">list</a>|<a href=\"insert.html\">add</a>";
?>
<?php
$con = mysql_connect("localhost","sqlinject","password");
if (!$con) die("Could not connect: ".mysql_error());
mysql_select_db("sqlinject", $con);
$id = $_GET["id"]+0;
$first_name = preg_replace("/[^a-z ]/i","",$_GET["first_name"])."%";
$sql = "SELECT * FROM users WHERE id=$id or first_name LIKE '$first_name' LIMIT 1";
$result = mysql_query($sql);
if (!$result) die(mysql_error()." in $sql");
if ($row = mysql_fetch_array($result))
{ echo "First Name: $row[first_name]<br/>";
echo "Last Name: $row[last_name]<br/>";
}
mysql_close($con);
echo "<br/><a href=\"list.php\">list</a>|<a href=\"insert.html\">add</a>";
?>
<?php
$con = mysqli_connect("localhost","sqlinject","password","sqlinject");
if (!$con) die("Could not connect: ".mysql_error());
$sql = "SELECT * FROM users WHERE id=? or first_name LIKE ? LIMIT 1";
$stmt = mysqli_prepare($con, $sql);
$first_name = $_GET["first_name"]."%";
mysqli_stmt_bind_param($stmt, 'is', $_GET["id"], $first_name);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $id, $first, $last, $age);
if (mysqli_stmt_fetch($stmt))
{ echo "First Name: $first<br/>";
echo "Last Name: $last<br/>";
}
mysqli_stmt_close($stmt);
mysqli_close($con);
echo "<br/><a href=\"list.php\">list</a>|<a href=\"insert.html\">add</a>";
?>
© 2009, Maurits van der Schee