How do I make my test website vulnerable to SQL injection?

Question

Here's a snippet of my login.php code:

if (isset($_POST['login'])){
    $username = $_POST['user'];
    $password = $_POST['pass'];
    $query = mysqli_query($con, "SELECT * FROM users WHERE password='$password' and username='$username'");
    $row = mysqli_fetch_array($query);
    if ($row > 0) {         
        $_SESSION['user_id']=$row['user_id'];
        header('location:home.php');    
    } else {
        echo 'Invalid Username and Password Combination';
    }
}
?> 

the login works, but when I try to bypass the auth/login by inputting ' or ''=' it returns this error

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in C:\x\x\x\x.php on line 32

The login works when I input a valid user that is on the database: Sample

Username: admin
Password: admin

What I wanna do is to bypass the login by inputting(sql injection)

Username: admin  
Password: **' ANYTHING ''='**

But then inputting ' ANYTHING ''=' returns the error mentioned above.

Answer 1

You're getting that warning because the values you injected caused the query to fail, probably because of a MySQL syntax error.

Try these values instead:

$password = "' OR 'a'='a";
$username = "admin";

This will give the SQL string:

SELECT * FROM users WHERE password='' OR 'a'='a' and username='admin'

Which should be valid and return the admin user record.