0

I have created a teaching resource to allow students to SQL inject a web page and extract information. This works up to a point, as entering ' OR '1'='1';-- ' will allow them to see the first result returned and they can use OFFSET to see the others.

When I try to include a DROP TABLE in the query, I get "Fatal error: Uncaught TypeError: mysqli_fetch_assoc(): Argument #1 ($result) must be of type mysqli_result, bool given"

Can I change the code below so that these additional injections would work? Or is there some text they could enter that would make it work?

 //prepare sql - this is a really bad thing to do
$sql="SELECT * FROM tblUsers WHERE username = '$user' AND password = '$pass' " ;
// leaky log to console
console_log($sql);

$result = mysqli_query($conn, $sql);
//leaky log to console
console_log($result);

//if the query ran successfully

if (mysqli_num_rows($result) > 0) {
    //get the row and turn into an array of strings
    $row = mysqli_fetch_assoc($result);
}
else{
    //if nothing returned, throw them back to the login page
    echo "Incorrect username or password";
    header("Location: login.html");
    exit();   
}
mikki
  • 13
  • 3
  • First of all, please stop teaching new students mysqli. They should be learning PDO as it is much easier. The reason why you see the cryptic message is because you forgot to enable mysqli error reporting. [How to get the error message in MySQLi?](https://stackoverflow.com/a/22662582/1839439) – Dharman Oct 26 '21 at 08:06
  • https://stackoverflow.com/questions/24758105/sql-injection-drop-table-not-working – Dharman Oct 26 '21 at 08:08
  • https://stackoverflow.com/questions/50451372/sql-injection-wont-work-without-using-mysqli-multi-query?rq=1 – Dharman Oct 26 '21 at 08:09

0 Answers0