0

I am writting a peice of code for a simple login page using php and mysql so trying to pentest it myself, i used curly braces to wrap around my variables $password and $username in my query and it totally blocked my attempts to bypass it.
i know i can use mysqli_real_escape_string and prepared statements and im not asking how to secure my code in here , i want to check it this way and know how does a hacker penetrate this exact code. i tried passing ' or 1=1 -- - just like when there wasn't a curly brace around variable but but it didnt work also tried }' or 1=1 -- - but couldnt bypass it .so the question is that curly braces inhance the security? and if not what is the payload to inject

the code below is what im using to connect my database . 

<?php 

if(isset($_POST['login'])){


$connection=mysqli_connect('localhost','root','','users');    
$username=$_POST['username'];
$password=$_POST['password'];

$query="SELECT * FROM users WHERE username='{$username}' AND password='{$password}'";
$select_user_query=mysqli_query($connection,$query);
$select_user_result=mysqli_fetch_result($select_user_query);    
if(!$select_user_result){
    die("Username not found");
}else{
    echo "logged in"


}
ItsJay
  • 188
  • 4
  • 17
  • 4
    [Little Bobby](http://bobby-tables.com/) says your script is at risk for [SQL Injection Attacks](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Learn about [prepared statements](https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection) for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) the string is not safe! – Jason K Aug 09 '19 at 13:21
  • thnx , yeah i know a little about prepared statements but im trying to learn both attack and defences so right now playing with this simple unsecure ones, just want to know how this one cracks! – ItsJay Aug 09 '19 at 13:28
  • *"just want to know how this one cracks!"* `{}` does nothing to protect see [phponline sandbow](http://sandbox.onlinephpfunctions.com/code/799b943df953043cf91d99f591d680d7b0524eb9) the generated `SELECT * FROM users WHERE username='root' AND password='1' OR '1' = '1'` would crack it for the user 'root' and allow acces without valid password.. injection for `$_POST['password']` would be `1' OR '1' = '1` .. Also see [demo](https://www.db-fiddle.com/f/xbdbVsJq5oFbmoYaJt5PzF/0) – Raymond Nijland Aug 09 '19 at 13:38

1 Answers1

3

No. It is vulnerable to SQL Injection.

Use Prepared Statements, and preferably PDO instead of mysqli:

$stmt = $pdo->prepare('SELECT * FROM users WHERE email = :email AND status=:status');
$stmt->execute(['email' => $email, 'status' => $status]);
$user = $stmt->fetch();

See this awesome resource for more info https://phpdelusions.net/pdo#prepared

Learn about SQL Injection here https://www.owasp.org/index.php/SQL_Injection

delboy1978uk
  • 12,118
  • 2
  • 21
  • 39
  • thnx ,but im not asking about what is the best way to secure my code here im asking how does a hacker inject his payload , since i tried and it was secure . – ItsJay Aug 09 '19 at 13:30
  • I have added a link to the Open Web Application Security Project, which tells you all about SQL Injection – delboy1978uk Aug 09 '19 at 13:32
  • Try making username `whatever'; DROP TABLE users; SELECT * FROM users WHERE '1'='1`, which would mean you end up with these 3 queries. `SELECT * FROM users WHERE username='whatever'; DROP TABLE users; SELECT * FROM users WHERE '1'='1' AND password='{$password}'`. Obviously the 3rd won't run if it succeeds! – delboy1978uk Aug 09 '19 at 13:37
  • @delboy1978uk in PHP most MySQL client query functions do not support executing multiple SQL statements separated by semicon (`;`) it will give you a parse error.. Well PDO in client side prepare emulation it's default mode running mode it can.. But if you run client side prepare emulation then you can still be prone to SQL injection attacks especially if you didn't define a charset.. – Raymond Nijland Aug 09 '19 at 13:45