0

I have this code:

if(isset($_POST['submit'])) {
    $name = $_POST['name'];


$query = mysqli_query($conn, "select name from accounts where name = '{$name}'");
if($query) {
   echo "success";
} else {
    echo "error";
}
}
?>



 <form action="" method="post">
                Name: <input type="text" name="name"><br><br>
                <input type="submit" name="submit" value="Add">
</form>

And I have written this in the form and submitted, only return (error), and the table was not deleted. enter image description here

Dharman
  • 30,962
  • 25
  • 85
  • 135
Osama Mohammed
  • 2,433
  • 13
  • 29
  • 61

2 Answers2

4

For mysqli, multiple statements or multi queries must be executed with mysqli::multi_query()

So change

$query = mysqli_query($conn, "select name from accounts where name = '{$name}'");

to

$query = mysqli_multi_query($conn, "select name from accounts where name = '{$name}'");

then retry what you want in your own machine.

Of course, usually hacker will just gain privilege by logging as "admin" and then do whatever he/she wants (in that case just performing single query in a select statement thru a SQL attack will do and do not need to execute multi-queries)

[additional point]

For single query SQL attack, submit the following:

1}' or 1=1 or '{1=1

which will become:

select name from accounts where name='{1}' or 1=1 or '{1=1}'

or

1}' or name='admin' or '{1=1

which will become:

select name from accounts where name='{1}' or name='admin' or '{1=1}'

Hence, to avoid SQL attacks, please use parameterized prepared statements. For details, you may refer to :

php mysqli prepared statements select

Ken Lee
  • 6,985
  • 3
  • 10
  • 29
  • then why i need to use prepare for example if mysqli already secure? my question is how can I simulate the SQL injection with my code or similar code – Osama Mohammed Nov 04 '22 at 10:47
  • 1
    See `additional point` in my further revised answer. – Ken Lee Nov 04 '22 at 10:59
  • 1
    @OsamaMohammed That is not secure. SQL is being manipulated. Maybe not as badly as it can be in older systems but still not what developer intended. Also if you were fetching and outputting content user could add in `union` calls and get data from other tables that was not intended. – user3783243 Nov 04 '22 at 11:04
  • can you please explain this line? (1}' or 1=1 or '{1=1) – Osama Mohammed Nov 04 '22 at 11:14
  • 1
    `1=1` will already be sufficient to make the condition to be true if the other logical comparison operators are "or", so it is a normal trick to do it. But usually we may use `name='admin'` to gain super user privilege (AGAIN - please only perform hacking testing in your OWN MACHINES . Thanks) – Ken Lee Nov 04 '22 at 11:16
  • thank you, so i can use this also right? 1' or '1=1 – Osama Mohammed Nov 04 '22 at 11:47
  • 1
    yes sure you can – Ken Lee Nov 04 '22 at 11:48
-2

For example, if you will send like such request:

1';DROP table accounts where id!='123454321344321

For reason request encoding, you can use + sign instead of spaces. I am writing an example with PHP simulate $name argument:


//That's a mean it is request variable
$name = "1';DROP table accounts where id!='123454321344321";
$query = mysqli_query($conn, "select name from accounts where name = '{$name}'");
if($query) {
   echo "success";
} else {
    echo "error";
}
Tural Rzaxanov
  • 783
  • 1
  • 7
  • 16