1

Hi I want to show sql injection vulnerability through form input using PHP and MYSQL. Any suggestion how to go about.

Thanks

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Hemlata Bhundhoo
  • 11
  • 5
  • Not exactly sure what you're asking, but it sounds like this fits: http://stackoverflow.com/questions/9624292/is-this-a-secure-method-to-insert-form-data-into-a-mysql-database?lq=1 – Morpheus Oct 05 '15 at 22:25
  • Possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Morpheus Oct 05 '15 at 22:25
  • in your input that connects to a mysql function, try use sql functions like DELETE table_name; or TRUNCATE table_name – Matthew Carpenter Oct 05 '15 at 22:27
  • You might also want to tag it with mysql and php rather than sql so the right people come here. The SQL tag is a bit too ambiguous. – CSS Oct 05 '15 at 22:47
  • Thanks for replying excuse me for being vague. I know how to prevent sql injection by adding striplashes and real_escape_string. I want to demonstrate a vulnerable login which is not working by simply removing the striplashes. I even tried; admin' 1-- and its giving me wrong username or password. – Hemlata Bhundhoo Oct 06 '15 at 00:04

2 Answers2

0

You can use Kali Linux to hack into the php website. Here is a tutorial on how to do that.

Alex Lowe
  • 783
  • 3
  • 20
  • 43
0
mysql_query("INSERT INTO `table` (`column`) VALUES ('$inject_variable')");

If you have query like this you can insert something like value'); DROP TABLE table;-- to the $inject_variable to test the injection.

Hence, your SQL query will became this:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

This will allow other users to drop the table.

cw fei
  • 1,534
  • 1
  • 15
  • 33