SQL injection with username and password

Question

 $sel1 = mysql_query ("SELECT ID, name, locale, lastlogin, gender,
 FROM  USERS_TABLE
 WHERE (name = ’$user’ OR email = ’$user’) AND pass = ’$pass’");

I tried logging in with the user as (with the user I want being 'test'):

     test')");--

I figured that should eliminate the check for pass but I did not any ideas what I did wrong?

Possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — jso, Nov 08 '15 at 20:18
I see 3 syntax errors here. I also don't understand your question's title. — Funk Forty Niner, Nov 08 '15 at 22:13
Alright, my bad. Did understand the question the other way. (Obviously I wasn't the only one confused). — jso, Nov 08 '15 at 22:22

score 0 · Answer 1 · answered Nov 08 '15 at 20:40

0

You shouldn't use '"'. The " in that string is is not part of the string itself. Try this:

test')--

answered Nov 08 '15 at 20:40

Ivar

6,138
12
49
61

score -1 · Answer 2 · edited May 23 '17 at 11:52

-1

In your case just use mysql_real_escape_string for checking (documentation).

$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);
$sel1 = mysql_query (...

See How can I prevent SQL injection in PHP? however.

Note that mysql_query() is nowadays deprecated.

edited May 23 '17 at 11:52

Community

1
1

answered Nov 08 '15 at 20:16

jso

484
5
13

I'm given that vulnerable sql statement and the goal is to input the injection into the username field the the UI so that I can login with any username. I guess i should have phrased my question better. – user3388579 Nov 08 '15 at 20:20
`mysql_real_escape_string` is deprecated. – Ivar Nov 08 '15 at 20:37
Sure it is, identically to `mysql_query` which was present in the question (and mentioned in the answer). – jso Nov 08 '15 at 22:20

SQL injection with username and password

2 Answers2