SQL Inject through form is not working in PHP 5.6

Question

I was trying to do SQL Injection (SQLi).

My Form is:

<form action="<?php echo $_SERVER["PHP_SELF"];?>" method="POST">
   <table>
        <tr>
            <td>Nama Properti</td>
            <td>:</td>
            <td>
                <input type="text" name="property_name">
            </td>
            <td>
                <?php if(isset($errors)) echo "<p class='errlog'>" . $errors . "</p>"; ?>
            </td>
        </tr>               
        <tr>
            <td></td>
            <td>:</td>
            <td>
                <input type="submit" name="submit-form" value="Kirim" >
            </td>
        </tr>
    </table>
</form>

And my action is:

<?php
    if (isset($_POST["submit-form"])) {

        if (!empty($_POST["property_name"])) {

            $mysqli = new mysqli("127.0.0.1", "root", "", "belajar");
            if ($mysqli->connect_errno) {
                echo "Failed to connect to MySQL: " . $mysqli->connect_error;
                exit();
            }
            $property_name = $_POST["property_name"];
            echo $property_name; // produce 'x'); DROP TABLE kelas_lain;--
            $sql = "INSERT INTO kelas_lain (property_name) VALUES (". $property_name .")";
            echo "<br>" . $sql; // produce INSERT INTO kelas_lain (property_name) VALUES ('x'); DROP TABLE kelas_lain;--)

            if ($sql_query = $mysqli->query($sql)) {
                echo "<p class='successlog'>Success !</p>";
                echo "Returned rows are: " . $sql_query->num_rows;  
                $sql_query->free_result();
            }else{
                echo "<p class='errlog'>There is an error with SQL !</p>";
            }

            $mysqli->close();


        }else{
            $errors = "Mohon Isi Form !";                   
        }

    }
?>

I passed this 'x'); DROP TABLE kelas_lain;-- through the input user form, but i get an error echo "<p class='errlog'>There is an error with SQL !</p>"; instead of successfully did this command INSERT INTO kelas_lain (property_name) VALUES ('x'); DROP TABLE kelas_lain;--) which would drop kelas_lain table.

I did echo $sql; it showed :

INSERT INTO kelas_lain (property_name) VALUES ('x'); DROP TABLE kelas_lain;--)

And i think all is correct.

Additional

While i have successfully done (SQLi) by passing the query through the url.

The passed query is : index.php?id=1 UNION SELECT password FROM siswalogin where id=1 This is the code :

<?php 
   /*
    * Check if the 'id' GET variable is set
    */
    if (isset($_GET['id'])){
        $id = htmlspecialchars($_GET['id']);

        /* Setup the connection to the database */
        $mysqli = new mysqli('localhost', 'root', '', 'belajar');

        /* Check connection before executing the SQL query */
        if ($mysqli->connect_errno) {
            printf("Connect failed: %s\n", $mysqli->connect_error);
            exit();
        }

        /* SQL query vulnerable to SQL injection */
        $sql = "SELECT username
        FROM siswalogin
        WHERE id = $id";

        /* Select queries return a result */
        if ($result = $mysqli->query($sql)) {
            while($obj = $result->fetch_object()){
                print($obj->username);
            }
            echo "<br>" . $id; // = 1 UNION SELECT password FROM siswalogin where id=1
        }
        /* If the database returns an error, print it to screen */
        elseif($mysqli->error){
            print($mysqli->error);
        }
    }
?>

pass 'x') " ; DROP TABLE kelas_lain;-- I think you forgot pass " in input — bahram, Jan 09 '20 at 05:37
or INSERT INTO kelas_lain (property_name) VALUES ('x'); DROP TABLE kelas_lain;-- ) pass a space after -- — bahram, Jan 09 '20 at 05:44
@bahram I have add more space at the end of my value, so : ` 'x'); DROP TABLE kelas_lain;-- ` It still not working. — 01_Secret.Lubis_10, Jan 09 '20 at 07:49
`query` only processes one statement. For multiple statements, there's `multi_query`. That's probably what's preventing the injection here. — deceze, Jan 09 '20 at 07:57
Is that caused by multiple statements query are rejected or something else ? — 01_Secret.Lubis_10, Jan 09 '20 at 10:00
`UPDATE` and `DELETE` statements are more vulnerable because the injection can be at the expression level (in the `WHERE` clause), thereby leading to other rows being updated or deleted. — Rick James, Jan 17 '20 at 17:48

Georg Richter · Accepted Answer · 2020-01-09T10:14:18.970

3

For security reasons (especiallyy sql injection) the mysqli_query() function doesn't support execution of multiple sql statements.

Instead of you have to use mysqli_multi_query() function (which should never be used to process content of web forms).

By default MariaDB/MySQL server doesn't support execution of multiple SQL statements, unless the client flags CLIENT_MULTI_STATEMENTS and CLIENT_MULTI_RESULTS are set. However these options don't exist in PHP.

edited Jan 09 '20 at 10:14

answered Jan 09 '20 at 10:01

Georg Richter

5,970
2
9
15

Thank you for answering my question. i am new in programing language and want to start. Your answer adding more knowledge on me. – 01_Secret.Lubis_10 Jan 10 '20 at 04:06

SQL Inject through form is not working in PHP 5.6

1 Answers1