Why can't this be SQL injected?

Question

I have to make an application that can be SQL injected, but I can't make it possible to SQL inject. I tried everything to SQL inject it, but I didn't succeed. It's possible to write the username like admin'# because that comments out the line.

I hope you can help me. You see my code just underneath.

<?php
    include('include/config.php');
    include('parts/header.php');

    $submit = $_POST['submit'];
    $username = $_POST['username'];
    $password = $_POST['password'];

    if ($submit) {
        if(!empty($username OR !empty($password))) {
            $sqlQuery = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'");

            if(mysql_num_rows($sqlQuery) == 1) {
                // Success - admin'#
                echo "LOGGEDIN";
                $_SESSION['loggedin'] = 1;
            }
            else {
                echo "Wrong password or username";
            }
        }
        else {
            echo "You didn't fill every field.";
        }
    }
?>

<div id="container">
    <form action="login.php" method="POST">
        <input type="text" name="username" placeholder="Type user name...">
        <input type="password" name="password" placeholder="Type password...">
        <input type="submit" name="submit" value="Log in">
    </form>
</div>

Its not live anywhere, im local. The condition works fine. It is possible to login. — Kevin Steen Hansen, Sep 15 '16 at 11:57

Vasim Shaikh · Answer 1 · 2016-09-15T12:53:54.050

-2

<?php
 include('include/config.php');
 include('parts/header.php');


$submit = $_POST['submit'];
$username = (int)$_POST['username'];
$password =(int)$_POST['password'];

if ($submit) {
    if(!empty($username OR !empty($password))) {
        $sqlQuery="SELECT * FROM users  WHERE user_login = '$username' AND password  = '$password'";

        //SELECT * FROM `wp_users` WHERE `user_login`='1' OR '1' = '1' AND `user_pass`='1' OR '1' = '1' 
        //$sqlQuery = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'");
        echo $sqlQuery;
        exit;
        if(mysql_num_rows($sqlQuery) == 1) {
            // Success - admin'#
            echo "LOGGEDIN";
            $_SESSION['loggedin'] = 1;
        } else {
            echo "Wrong password or username";
        }
    } else {
        echo "You didn't fill every field.";
    }
}
?>

<div id="container">
    <form method="POST">
        <input type="text" name="username" placeholder="Indtast brugernavn..">
        <input type="password" name="password" placeholder="Indtast kodeord..">
        <input type="submit" name="submit" value="Log ind">
    </form>
</div>

You Query output will be this and always true,

SELECT * FROM wp_users WHERE user_login = '7' AND user_pass = '7'

edited Sep 15 '16 at 12:53

answered Sep 15 '16 at 11:57

Vasim Shaikh

4,485
2
23
52

Doenst work :/ Gives me the wrong password statement. – Kevin Steen Hansen Sep 15 '16 at 12:01
did you check link? – Vasim Shaikh Sep 15 '16 at 12:02
this will affect for sure – Vasim Shaikh Sep 15 '16 at 12:08
7 OR 1=1 still gives me the wrong password still.. Did PHP add something in the .ini file? – Kevin Steen Hansen Sep 15 '16 at 12:16
1

Where did the quotes disappear from the query string? – JJJ Sep 15 '16 at 12:18
@Juhana result is SELECT * FROM users WHERE username = '7 or 1=1' AND password = 'vasim' – Vasim Shaikh Sep 15 '16 at 12:22
1

Yes, and how does that inject anything if the username is in quotes? – JJJ Sep 15 '16 at 12:25
@KevinSteenHansen you get a query result you can simply put in your db sql editor – Vasim Shaikh Sep 15 '16 at 12:25
this answer is just fantastic – Your Common Sense Sep 15 '16 at 12:50

score -9 · Answer 2 · edited Sep 15 '16 at 11:55

-9

You can use the mysql_real_escape_string function to make a variable secure:

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

edited Sep 15 '16 at 11:55

Adriaan

17,741
7
42
75

answered Sep 15 '16 at 11:53

Decoder

11
2

My assignment is to make an application that isnt secure, but my code cant be sql injected :/ – Kevin Steen Hansen Sep 15 '16 at 11:54
you need to use htmlspecialchars() or strip_tags(). 1st will convert special chars like < to < that will show up as <, but won't be executed. 2nd just strip all tags out. – Decoder Sep 15 '16 at 12:02
check this link http://stackoverflow.com/questions/6857817/a-php-function-to-prevent-sql-injections-and-xss – Decoder Sep 15 '16 at 12:02
Think you misunderstand me. I have to make an UNSECURE login. – Kevin Steen Hansen Sep 15 '16 at 12:04
brother this will help you from sql injection. just try your 0=0 method after adding this script – Decoder Sep 15 '16 at 12:11
But i need sql injection. This script has to be unsecure. – Kevin Steen Hansen Sep 15 '16 at 12:17

Why can't this be SQL injected?

2 Answers2