I am trying to inject the script given below and i am giving something like -
userid="abcd" and pid="'; drop table shubh //"
but it is not deleting the table. and i have seen many answers on stackoverflow everyone is using these comments "--" but as per PHP Manual comments are these "//,#,/* */"
i am referring to this resource -- http://www.w3resource.com/sql/sql-injection/sql-injection.php
<?php
$host="localhost";
$username="root";
$password="";
$db_name="hr";
$con=mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$uid = $_POST['uid'];
$pid = $_POST['passid'];
$sql = "select * from user_details where userid = '".$uid."' and password = '".$pid."'";
//$sql = "select * from user_details where userid = '".shubham."'";//shubham"' drop table shubh";//.$uid."' and password = '".$pid."'";
echo $sql;
$result = mysql_query($sql);
if(mysql_num_rows($result)>0)
{echo "<h4>"."-- Personal Information -- "."</h4>","</br>";
while ($row=mysql_fetch_row($result))
{echo "<p>"."User ID : ".$row[1]."</p>";
echo "<p>"."Password : ".$row[2]."</p>";
echo "<p>"."First Name : ".$row[3]." Last Name : ".$row[4]."</p>";
echo "<p>"."Gender : ".$row[5]." Date of Birth :".$row[6]."</p>";
echo "<p>"."Country : ".$row[7]." User rating : ".$row[8]."</p>";
echo "<p>"."Email ID : ".$row[9]."</p>";
echo "--------------------------------------------";
}
}
else
echo "Invalid user id or password";
?>
userid="abcd" and pid="'; drop table shubh //"
but it is not deleting the table.
mysql_query only accepts a single statement.
SQL injection via that function needs to use a different approach (such as subqueries).
i have seen many answers on stackoverflow everyone is using these comments "--" but as per PHP Manual comments are these "//,#,/* */"
SQL is not PHP. It has a different comment syntax.
Related
I am working on a site to share names of songs, and I have made a recommendation form that I include in every page. This recommendation form is in HTML and leads to a PHP action page, where the information received is added to a SQL table. Here is the code:
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="MYPASSWORD"; // Mysql password
$db_name="DB NAME"; // Database name
$tbl_name="songshare"; // Table name
// Connect to server and select databse.
$link = mysqli_connect("$host", "$username", "$password")or die("cannot connect");
mysqli_select_db($link, "$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$song=$_POST['song'];
$album=$_POST['album'];
$artist=$_POST['artist'];
$linkitunes=$_POST['linkitunes'];
$artwork=$_POST['albumPic'];
// To protect MySQL injection (more detail about MySQL injection)
$song = stripslashes($song);
$album = stripslashes($album);
$artist = stripslashes($artist);
$song = mysqli_real_escape_string($link, $song);
$album = mysqli_real_escape_string($link, $album);
$artist = mysqli_real_escape_string($link, $artist);
$sql="SELECT * FROM $tbl_name WHERE song='$song'";
$result=mysqli_query($link, $sql);
if ($result->num_rows){
echo "Song already taken" . "<br />";
echo "<a href='/music.php'>music</a>";
exit();
}
$sql="INSERT INTO recommendation (user_id, artist, song, album, artwork, linkitunes)";
$sql = $sql . " VALUES ('$_SESSION['user_id']', '$artist', '$song', '$album'. '$artwork'. '$linkitunes');";
$result=mysqli_query($link, $sql);
if(!$result) {
echo "Recommendation failed" . "<br />";
echo $sql;
} else {
print "$song, $artist, $album";
}
ob_end_flush();
?>
I have checked that every username, password, link is correct and valid. My server does, in fact, run PHP. It doesn't seem to me like the PHP code is even running though.
Thank you so much in advance.
-Cameron
Turn on error reporting by adding this on top of page:
ini_set("display_errors",true);
and change this line:
$link = mysqli_connect("$host", "$username", "$password")
to
$link = mysqli_connect($host, $username, $password,$db_name);
Please have a look how to work with mysqli
Instead of '$album'. '$artwork'. '$linkitunes' Do: '$album', '$artwork', '$linkitunes', while saving data.
Try this :-
$sql = $sql . " VALUES ('".$_SESSION['user_id']."', '$artist', '$song', '$album', '$artwork', '$linkitunes')";
instead of
$sql = $sql . " VALUES ('$_SESSION['user_id']', '$artist', '$song', '$album'. '$artwork'. '$linkitunes');";
You should check the version of local server you are working with. If you are working with a higher of local server and you php was written in a lower version it throws a blank page.
Good Day
I am using a program called Site Lock from Vibraloxig works great for what I need but have a question maybe someone can assist me.
The site allows me to draw certain information of the user using simple PHP echo commands
<?php echo $slusername; ?>
Will echo the user name for me and so on. What I would like to do is use this to filter a query in msql tables this is my current code
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$query = "SELECT * FROM members WHERE ussd_dealer = '<?php echo
$slcustom1; ?>' ";
$result = mysql_query($query);
echo " ".mysql_num_rows($result)." ";
?>
My table has the ussd_dealer and the custom1 i am calling works on the site but does not work in the query to filter the table for me. Not sure if I need to use "" instead of '' after the WHERE ussd_dealer = . Assistance would be greatly appreciated.
You don't need to echo inside your string creation:
$query = "SELECT * FROM members WHERE ussd_dealer = '$slcustom1' ";
When you want to echo it to the HTML, you use the echo function, but when you simply want to use the value inside the variable - and you are in a PHP code structure, you can simply refer to it as it is.
Be aware though that this is terribly insecure.
You should read this question/wiki on what SQL injection is, and why doing what you are asking is opening a can of worms to have your site hosed.
you can use variable name directly in your query
$query = "SELECT * FROM members WHERE ussd_dealer = '{$slcustom1}' ";
SIDENOTE : use mysqli instead of mysql
I am very new to coding PHP, HTML, and CSS and am just making a basic website with very basic functions that I will change and make better as I learn more about how to code these languages. My question is why my responses to a thread I have created in my forum response page does not appear when I view the forum? The code I used was not mine - I got it from
this website :www.phpgang.com/create-a-simple-forum-in-php_158.html
Everything else with this code works, no errors, and I can create a topic, view the topic, and respond to the topic but the response does not appear when I view the topic. It does however add a comment to the comment area of the forum table that shows all of the current topics. Please offer any ideas of how I can make the response display. If you have any questions on what exactly it is doing please comment.
(the code that is supposed to display and add the response to the topic)
add_answer.php:
<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="greatdebate"; // Database name
$tbl_name="fanswers"; // Table name
// Connect to server and select databsae.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Get value of id that sent from hidden field
$id=$_POST['id'];
// Find highest answer number.
$sql="SELECT MAX(a_id) AS Maxa_id FROM $tbl_name WHERE question_id='$id'";
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);
// add + 1 to highest answer number and keep it in variable name "$Max_id". if there no
answer yet set it = 1
if ($rows) {
$Max_id = $rows['Maxa_id']+1;
}
else {
$Max_id = 1;
}
// get values that sent from form
$a_name=$_POST['a_name'];
$a_email=$_POST['a_email'];
$a_answer=$_POST['a_answer'];
$datetime=date("d/m/y H:i:s"); // create date and time
// Insert answer
$sql2="INSERT INTO $tbl_name(question_id, a_id, a_name, a_email, a_answer,
a_datetime)VALUES('$id', '$Max_id', '$a_name', '$a_email', '$a_answer', '$datetime')";
$result2=mysql_query($sql2);
if($result2){
echo "Successful<BR>";
echo "<a href='view_topic.php?id=".$id."'>View your answer</a>";
// If added new answer, add value +1 in reply column
$tbl_name2="fquestions";
$sql3="UPDATE $tbl_name2 SET reply='$Max_id' WHERE id='$id'";
$result3=mysql_query($sql3);
}
else {
echo "ERROR";
}
// Close connection
mysql_close();
?>
Please contact me if you need to see the main_forum.php or the new_topic.php,
There's an error at line $id=$_GET['id']; said that Notice: Undefined index: id in D:\XAMPP\htdocs\view_topic.php on line 101. I tried to change " $_GET " to " $_POST " but the error is still the same. Any help ?
I am trying to retrieve the id from the database and listed all the forum topic posted by users. Others php file can run smoothly. I got problem retrieving id of the post.
<?php
$host="localhost";
$username="root";
$password="";
$db_name="db";
$tbl_name="forum_question";
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// get value of id that sent from address bar
$id=$_GET['id'];
$sql="SELECT * FROM $tbl_name WHERE id='$id'";
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);
?>
Always make use of the isset construct when assigning data to variables from outside world
if(isset($_GET['id']))
{
$id=$_GET['id'];
$sql="SELECT * FROM $tbl_name WHERE id='$id'";
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);
}
else
{
echo "ID was not set. Let me go and check the form again !";
}
?>
This variable has to be set in your URL. You have to check if it's present:
<?php
$host = "localhost";
$username = "root";
$password = "";
$db_name = "db";
$tbl_name = "forum_question";
// Connect to server and select databse.
$db = new mysqli($host, $username, $password, $db_name);
// get value of id that sent from address bar
$id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
if($id <> 0) {
// TODO
// 404 Not Found
} else {
$sql = "SELECT * FROM $tbl_name WHERE id='$id'";
$row = $db->query($sql)->fetch_assoc();
// TODO
// Do Something with Data
}
Your URL must then be http://example.com/path/to/script.php?id=42
I added (int), so no sql injections are possible.
I replaced mysql_* by MySQLi, see comment to your question.
I removed quotes from variables in your query, you don't need them.
I've got two different sites. What I'd like to do is to automatically run a script that sends some of the data inserted into the database in site 1 when a user registers and updates a table in the database for site 2 so that an account is automatically created in site 2 using the same details.
I'm at the stage of trying to create a query that will update the database. I'm the self-made type so don't know that well what I'm doing. Got this query from somewhere but can't make it work. Can anyone tell what's wrong with it? It's not executing the query.
Thanks!
Eugenie
<?php
$host = "localhost"; // Host name
$username = "----"; // Mysql username
$password = "----"; // Mysql password
$db_name1 = "------"; // Database name
$db_name2 = "-----"; // Database name
$tbl_name1 = "-----"; // Table name
$tbl_name2 = "---"; // Table name
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name1")or die("cannot select DB");
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name2")or die("cannot select DB");
$query = "USE $db_name2
UPDATE $db_name2.dbo.$tbl_name2
SET email=d2.email FROM $db_name1.dbo.$tbl_name1 d2
WHERE d2.uid = $tbl_name1.uid";
$result = mysql_query($query) or die ("could't execute query.");
?>
<?php
$host = "localhost"; // Host name
$username = "----"; // Mysql username
$password = "----"; // Mysql password
$db_name1 = "------"; // Database name
$db_name2 = "-----"; // Database name
$tbl_name1 = "-----"; // Table name
$tbl_name2 = "---"; // Table name
$conn = mysql_connect($host, $username, $password);
mysql_select_db($db_name1, $conn) or die("cannot select DB");
mysql_select_db($db_name2, $conn) or die("cannot select DB");;
$query1 = "SELECT * FROM `" . $db_name1.$tb1_name1 . "` ";
$query2 = "SELECT * FROM `" . $db_name2.$tb1_name2 . "` ";
You can fetch data of above query from both database as below
$result1 = mysql_query($query1);
while($row = mysql_fetch_assoc($result1)) {
$data1[] = $row;
}
$result2 = mysql_query($query2);
while($row = mysql_fetch_assoc($result2)) {
$data2[] = $row;
}
print_r($data1);
print_r($data2);
?>
Suggestion: Try shifting to mysqli or PDO since mysql is depreciated now.
Recall the documentation for mysql_connect:
Returns a MySQL link identifier on success or FALSE on failure.
... and the documentation for the second parameter for mysql_query:
The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.
... should solve your problem. Example:
$link1 = mysql_connect( ... ); // For db 1.
$link2 = mysql_connect( ... ); // For db 2.
$result1 = mysql_query( "some query for db 1", $link1 );
$result2 = mysql_query( "some query for db 2", $link2 );
Well,
first of all, you're not connecting to two different databases, but using two different schemas in the same database. So only a mysql_connect should be used.
Also, if you're using full qualified names to access your tables you don't need to call mysql_select_db, nor the 'use db_name' mysql command.
Your query string is wrong. After USE $db_name2 you should have a semi-colon, and the update sentence is not correct.
Code could be somthing like that:
mysql_connect(...)
$query = "update $db2.$table2, $db1.$table1