0

To understand SQL Injection i wanted to build a basic example with PHP and MySQL:

If I try to execute a command with a single quote i get the following error:

enter image description here

enter image description here

Is there a other possibilty to inject code in this example?

Here my code:

<?php
    include_once 'C:\xampp\htdocs\phplessons\includes\dbh.inc.php';
    
    //$first = mysqli_real_escape_string($conn, $_POST['first']);
    $first = $_POST['first'];
    $last = $_POST['last'];
    $email = $_POST['email'];
    $uid = $_POST['uid'];
    $pwd = $_POST['pwd'];
    
    
    $sql = "INSERT INTO users (user_first, user_last, user_email, user_uid, user_pwd) VALUES ('$first', '$last', '$email', '$uid', '$pwd');";
    mysqli_query($conn, $sql);

    
    header("Location: ../index.php?signup=success");
alderone
  • 19
  • 3
  • 1
    `mysqli_query()` can execute only one query. You might want to use [`mysqli_multi_query()`](https://www.php.net/manual/en/mysqli.multi-query.php) – Cid Jul 18 '22 at 15:18
  • You need to compose valid SQL. Also `mysqli_query` only executes 1 query so you cant forge a `drop` in it. e.g. `INSERT INTO users (user_first, user_last, user_email, user_uid, user_pwd) VALUES ('' DROP TABLE suppliers', '$last', '$email', '$uid', '$pwd');` is not valid – user3783243 Jul 18 '22 at 15:19
  • Another way to show how injections work is injecting an `UNION` – Cid Jul 18 '22 at 15:20
  • Thanks, if I use mysqli_query() is it possible to add a sql query additionall at the end? – alderone Jul 18 '22 at 15:26
  • 1
    @alderone no it's not. – Cid Jul 18 '22 at 15:27
  • @Cid can you please give me a example how to use UNION in this case? – alderone Jul 18 '22 at 15:29
  • `SELECT ... FROM .... WHERE foo = 'injection starts here' UNION SELECT ... FROM SensitiveTable; --'` the injected string being : `injection starts here' UNION SELECT ... FROM SensitiveTable; --` – Cid Jul 18 '22 at 15:32
  • With `insert` it could only be manipulated to insert additional data. For manipulated `insert` could send `first', 'last', 'test', 'email', id, 'hash') --`for the first name and it should insert data with unhashed password – user3783243 Jul 18 '22 at 15:34
  • @Cid Thanks, this will only work with a select statement? – alderone Jul 18 '22 at 15:37
  • @user3783243 What would be the problem if someone can insert additional data if it is already possible to insert data via the form? – alderone Jul 18 '22 at 15:38
  • If you require username in some format or some other validation rules could bypass them. Nothing can really be done malicious here. Only data added to db. – user3783243 Jul 18 '22 at 15:39
  • You got to make your mind. Whether you want to inject some code or to drop some table. To demonstrate the SQL injection the former is more than enough. – Your Common Sense Jul 18 '22 at 15:52
  • 2
    SQL injection is not always malicious. It could just result in errors, which would be a bad experience for your users. For example, try pretending your last name is "O'Reilly". It results in an error given your code. So this means your website cannot register a user with an apostrophe in their name. Would you consider that to be a bug? – Bill Karwin Jul 18 '22 at 16:06

0 Answers0