Testing for SQL injection but resulting in error?

Question

Hi i know parameterized statements and escaping data is good practice for preventing SQL injection. But i was curious to see it in action so i set up a database to see . The problem is i keep getting a error or its not injecting correctly.

$ans = $_POST['answer'];
$query = "SELECT username from `members` where password = '$ans'";
$c = $db ->query($query);
$c=$c->fetch(PDO::FETCH_ASSOC);
echo $c['username'];

I tried the typical 'Or 1=1' injections and its variations and i keep coming up with errors on the fetch or it not working at all.

Escaping is not good practice. If you use prepared statements consistently (instead of string interpolation), there is no need to mess around with escaping. — Oliver Charlesworth, Apr 20 '14 at 12:05
To test for injectjon one have to understand many various things, like what sql injection is, what SQL is, what query to run, what query to forge, etc. Without such understanding, an error is the most possible outcome — Your Common Sense, Apr 20 '14 at 12:07
Thank you for the reference , how would i learn more about this? — MikanPotatos, Apr 20 '14 at 12:12
@Dahnny012 , The link _YCS_ suggested has sufficiently more information. So you completed reading the whole thread ?? — Shankar Narayana Damodaran, Apr 20 '14 at 12:15
You may also have a look at [*How SQL Injection works through URL* on Security.SE](http://security.stackexchange.com/a/36881/539). — Gumbo, Apr 20 '14 at 21:29

Alexey Palamar · Answer 1 · 2014-04-20T13:17:44.013

-2

$sql="SELECT username from `members` where password = :mypassword";

// Create prepared statement
$stm = $db->prepare($sql);
$stm->bindParam(':mypassword', $ans, PDO::PARAM_STR);
$stm->execute();

echo $stm->fetchColumn();

edited Apr 20 '14 at 13:17

answered Apr 20 '14 at 12:09

Alexey Palamar

1,440
1
10
16

Testing for SQL injection but resulting in error?

1 Answers1