How to insert php codes into database?

Question

I'm testing my mysql codes vulnerability.
This is the php injection:

$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");

Or any other php code, like blow:

<?php mysqli_close($conn); ?>

My purpose is to insert them into DB but don't execute them.
Actualy these codes are gonna inserted into DB from an html input form by a user and I wan to display them for the user.(sth like messaging)
Problem:
The problem is that when I try to insert them into DB it fails, my insert query is this:

mysqli_query($conn,"INSERT INTO table (usr,id,message,date) VALUES ($usr,'$id','$message','$date')");

The codes are in $message.
I also should add this validation function:

function validate($data)
{
    stripslashes($data);
    htmlspecialchars($data);
    htmlentities($data);
    strip_tags($data);
    addslashes($data);
    return($data);
}

Before inserting $message into DB I have validated it by this function validate($message) but even this can't fix the problem.

I have searched but there's no results for this question in google!
Any one knows how to insert codes into mysql database?

simply use prepared-statemants and not clearing the insert data by yourself. By the way: How about `base64_encode` before saving into database. Then you dont have problems with single-quotes and backslashes that can be a part of php. — JustOnUnderMillions, Apr 25 '17 at 13:15
And just a note on your `validate()` function: You return the data unchanged. Normaly in php you will do this `$data = stripslashes($data);` `$data = htmlspecialchars($data);` depends on the used function. Readmore on php.net for each function. — JustOnUnderMillions, Apr 25 '17 at 13:17
just read about prepared statements: http://php.net/manual/en/mysqli.prepare.php http://stackoverflow.com/questions/1290975/how-to-create-a-secure-mysql-prepared-statement-in-php — Alex, Apr 25 '17 at 13:34

score 0 · Accepted Answer · answered Apr 25 '17 at 14:54

0

Escape your input data with a real_escape_string function: http://php.net/manual/en/mysqli.real-escape-string.php

Now you can safely create a legal SQL string that you can use in an SQL statement.

answered Apr 25 '17 at 14:54

Andrei Duca

372
2
11

Thanks for your answer. I knew this function but I haven't used it for a long time and I completely forgot it! – Alexander Jones Apr 25 '17 at 19:21
Also I should add this to your answer to complete it: Use `htmlspecialchars()` to show php codes in html page. – Alexander Jones Apr 25 '17 at 19:23
And an even better idea is to use prepared statements, as @Alex mentioned too. My solution is strictly for your specific problem. – Andrei Duca Apr 26 '17 at 08:16

score 0 · Answer 2 · answered Aug 19 '17 at 19:25

To insert code php in database, following this options : 1. To insert data, use htmlspecialchars. example :

$string = '<?php echo "Hello world"; ?>';
htmlspecialchars($string);

Before read/get data, use htmlspecialchars_decode. Example : htmlspecialchars_decode($string);

Hope this maybe can help you :-)

How to insert php codes into database?

2 Answers2