0

As the title says, I'm developing a small project and is encountering some issues. Tried SQL injection directly on the search box but it doesn't seems to work. I believe my code is not that sanitize though. Any inputs would be appreciated.

This is part of my form page;

          <form method="post" action="tablepaging1.php">
            <div class="form-group">
              <input type="text" class="form-control bg-light border-0 small" name="word" placeholder="Search for..." aria-label="word" aria-describedby="basic-addon2">
              <input type="submit" value="Search" name="submit" class="login-button"/>
            </div>
          </form>

This is the processing portion (tablepaging1.php)

<?php
require('config.php');
$word = $_POST['word'];
   
    
    
$min_length = 3;

    
    if(strlen($word) >= $min_length){ // if query length is more or equal minimum length then
        
        $raw_results = "SELECT * FROM services
            WHERE `co_name` LIKE '%".$word."%' OR `co_phone` LIKE '%".$word."%'";
                $getSearch_res = mysqli_query($link, $raw_results) or die('v3n0ms1x6SiX');
        
        if(mysqli_num_rows($getSearch_res) > 0){ // if one or more rows are returned do following
            
            while($results = mysqli_fetch_array($getSearch_res)){

                echo "<p><h3>".$results['co_name']."</h3>".$results['co_phone']."</p>";
            }
            
        }
        else{
            echo "No results";
        }
        
    }
    else{
        echo "Minimum length is ".$min_length;
    }    
        ?>
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
matr3p
  • 65
  • 2
  • 9
  • 1
    Please use prepared statements. This is a problem which was solved a very long time ago. Don't leave yourself exposed and don't reinvent the wheel. – Tim Biegeleisen Nov 16 '20 at 05:12
  • 1
    It proves that you're not very good at crafting injection strings, but it's not a programming question :) – hobbs Nov 16 '20 at 05:13
  • yeah I'm still learning though thus the question. I'm using localhost for this project so yeah I'm trying to sort of my codes – matr3p Nov 16 '20 at 05:17
  • a simple Select * from '% won't yield any results too :( – matr3p Nov 16 '20 at 05:20
  • what's the point in learning SQL injection at this point? Your code screams about much more pressing matters – Your Common Sense Nov 16 '20 at 06:43

1 Answers1

0

So you want to try SQL injection ? For your case, please try the following input as $word:

abc' or 1=1 or 'ddd

so your resulting string will be

SELECT * FROM services WHERE co_name LIKE '%abc' or 1=1 or 'ddd%' OR co_phone LIKE '%abc' or 1=1 or 'ddd%'

and you will retreive all the data from the services table.

Ken Lee
  • 6,985
  • 3
  • 10
  • 29
  • if(strlen($word) >= $min_length), in my case the $word length is 19, and 19 is >=3so the codes will be executed (am I correct ?) – Ken Lee Nov 16 '20 at 05:47
  • if i do not know the what's the sql query that was running, what should the injection be? – matr3p Nov 16 '20 at 06:03
  • or 1=1 or always return true, so you can try either (1) abc' or 1=1 or 'ddd or (2) abc" or 1=1 or "ddd [1 and 2 only differs in using single quote or double quote] – Ken Lee Nov 16 '20 at 07:15