0

I've had a look around for an answer but unfortunately nothing has worked in my case.

EDIT: Different than other answers as code is required to be intentionally vulnerable, ignoring best practice.

I'm developing a feature on a web page which basically allows the user to, using a form, look up and see if a username is in a table in the database. If it is, the result of the query should be echo'd or displayed back to them. This might sound odd, but the web page in question is to teach web vulnerabilities and the point of this exercise is for students to use SQL Injection to obtain the password for that username as well.

Here is the PHP...

<?php
$error=''; //
if(isset($_POST['submit'])){
    if(empty($_POST['user'])){
        $error = "Please enter a username.";
    }
    else
    {
        //Define $user
        $user=$_POST['user'];
        //Establish Connection with server by passing server_name, user_id 
and pass as a parameter
        $sqli = mysqli_connect("localhost", "root", "");
        //Select Database
        $db = mysqli_select_db($sqli, "#");
        $query = mysqli_query($sqli, "SELECT username FROM sqlusers WHERE username 
='$user'");
        $results = mysqli_query($query);
        $rows = mysqli_num_rows($query);
        if($rows == 1){
            echo $query;
        }
        else
            {
            $error = "Username is not in the database";
        }
        mysqli_close($sqli); //Close Conenction
        }
    }
?>

In the HTML I also have..

<?php echo $error; ?>

The feature should work as follows. Student uses form to check for Username1 in the database. Username1 is in the database, so they receive an echo saying 'Username1' is in the database. Then, using SQL Injection, they alter the query to select the password for that username as well, and are shown 'Username 1 Password1' is in the database.

I'm still learning PHP so please excuse obvious mistakes.

Thank you for your help and any assistance or tips would be greatly appreciated!

Colby Clayton
  • 7
  • 1
  • 5
  • Is this your home work ? – S4NDM4N Aug 10 '17 at 03:49
  • No, a project I'm developing for first year security students, but as I said I am in no way proficient in web dev. – Colby Clayton Aug 10 '17 at 03:51
  • Ok taking your word on lit then, Yes your code is wide open to injection which you want them to do. Altering query will be done manually you don't need to echo the query just echo the user name row ex: $query["uName"]; and password when the query get altered. Send the selected data back to the log in using `header(location:bla.php?uname=".$_POST["uName"]);` and then echo it on the login page – S4NDM4N Aug 10 '17 at 03:59
  • Please stop using mysqli.. Search for PDO and read the differences. Better pick up good habits since the start – Raja Khoury Aug 10 '17 at 04:01
  • His just trying to teach MySQL injection so sqli will be good for this. – S4NDM4N Aug 10 '17 at 04:02
  • ...and the question is? – Your Common Sense Aug 10 '17 at 04:38
  • Given your other questions, I imagine you being a surgeon, teaching first year students to fix a broken leg and asking advises on a forum. Why you're doing that, being deliberately under-qualified? – Your Common Sense Aug 10 '17 at 04:42
  • How would this code be best written in order to output the result of the query to the user, while also allowing them to alter the intended functionality of the query. – Colby Clayton Aug 10 '17 at 04:42
  • I fully understand the vulnerability and work in Cyber Security, I know full well how to exploit it and the implications. However, as mentioned, I am not a web dev and am a novice in PHP. However I would not want this to deter me from trying to instill a better learning experience on the next generation. Please refrain from commenting unless it relates to an answer to the question. Thank you. – Colby Clayton Aug 10 '17 at 04:44
  • So your question is how to display the result of mysql query in php. And you are working in cyber security and have no idea hoe to use Google. An interesting case. – Your Common Sense Aug 10 '17 at 04:52
  • As previously mentioned, I am a novice in coding, and so what may be simple to you may not be so simple to others, which is why I am asking a coding community rather than traversing google for intentionally vulnerable code. We all have areas of proficiency, this is not mine, so please refrain from negative comments. – Colby Clayton Aug 10 '17 at 05:00

1 Answers1

-1

please change the query like below

$query = mysqli_query($sqli, "SELECT username FROM sqlusers WHERE username 
='".$user."'");

You have made a mistake in PHP appending the string with the variable . Please try the above code,it will help you.

S4NDM4N
  • 904
  • 2
  • 11
  • 26
Pranav MS
  • 2,235
  • 2
  • 23
  • 50