2

I'm trying to use SQL Injection on my local server.

My Script is:

$query="SELECT * FROM tbl_admin WHERE admin_name ='".$uname."' AND admin_password ='".$pwd."'";

Now when I'm using admin' OR '1'='1'"; # in name my query becomes 

SELECT * FROM tbl_admin WHERE admin_name ='admin' OR '1'='1'"; #' AND admin_password ='*****'

When I check this query till 1 it is working fine. But not working in script.

I'm not getting quotes issue. Can anyone help me?

Daniel W.
  • 31,164
  • 13
  • 93
  • 151
parag mundra
  • 55
  • 4
  • I wrote a bit of an answer on SQL injection you might want to read: http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php/18872292#18872292 – Fluffeh Mar 20 '14 at 10:42
  • Instead of `OR '1'='1'"; #`, pass `' OR 1=1;--` in the injection, it won't work if you dont close the first quote of `admin_name='`. – Daniel W. Mar 20 '14 at 10:47
  • You might want to read up on general SQL Injection. PHP.net has some interesting material, particularly converting the type of string you use in order to try counter the Injection: http://www.php.net/manual/en/security.database.sql-injection.php – aashnisshah Mar 20 '14 at 10:52
  • Why do you add extra quotation mark in your input? try with admin' OR '1'='1'; # – michal.hubczyk Mar 20 '14 at 11:02

2 Answers2

3

I think the information in your question is wrong:

SELECT * FROM tbl_admin WHERE admin_name ='".$uname."' AND

putting in admin' OR '1'='1'"; # makes it:

SELECT * FROM tbl_admin WHERE admin_name ='admin' OR '1'='1'"; #' AND

Which is wrong (PHP) syntax because of the final double-quote ".

If you put in ' OR 1=1;--, output is compliant to the PHP syntax:

SELECT * FROM tbl_admin WHERE admin_name ='' OR 1=1;--' AND

Update:

Due to invalid edits of the original question, my answer does not fit to the rolled back revision.

Daniel W.
  • 31,164
  • 13
  • 93
  • 151
  • Somebody botched up the bad username in an edit. The original value which the OP posted was `admin' OR '1'='1'"; #`, which would correctly inject the `OR '1'='1'` clause. Could you please edit your answer accordingly? – Carsten Mar 20 '14 at 10:54
  • 1
    @Carsten I rolled the question back to the original code, thx for the hint – Daniel W. Mar 20 '14 at 10:57
-2

use this function mysql_real_escape_string in your query so avoid sql injection.

Recommend to use MySqli extension for better security.

Chintan
  • 56
  • 1