-1

My friend is new to PHP concepts(And so am I), and he developed the code below. I know it is vulnerable, and I told him I could do stuff on his database, like messing with other tables, Update other values etc.

The vulnerable part of the code is an INPUT, that he uses for a common search. This is not a login.

$email = filter_input(INPUT_GET, 'email');

if ($email != '') {  
   $stm = $db->query("SELECT * from clients WHERE email =  '$email'");
   $result = $stm->fetchAll();
}

The problem is I can't do it, because query() only allows one statement per query. Is there a way to mess with anything important on his database? (This is a challenge for me to prove IN PRACTICE his mistakes)

Mark Goebs
  • 21
  • 1
  • [If you’re limited to the existing statement, you can only exploit the statement’s capabilities.](http://stackoverflow.com/a/15732682/53114) – Gumbo Jan 25 '15 at 12:36
  • [Same question on Security.SE](http://security.stackexchange.com/q/80033/539) – Gumbo Jan 25 '15 at 16:13

2 Answers2

0

A select query cannot modify data using any SQL injection, but it can be easily used to echo data from different tables (like usernames and passwords).

Read second and third example here: PHP's manual regarding sql injection

Tomas M
  • 6,919
  • 6
  • 27
  • 33
0

With your code it's very easy to modify conditions of an SQL query.

I can easily get ALL the clients, by making that condition is always true:

http://localhost/inject.php?email=Client 1' OR '1'='1

I can even read details from another table:

http://localhost/inject.php?email=Client 1' UNION SELECT * FROM articles WHERE '1' = '1

It all depends on what you do with results later, but as I shown on this two simple examples it's better to protect yourself.

Jakub Zalas
  • 35,761
  • 9
  • 93
  • 125