PHP and Mysql SQL Injection Example

SQL injection is one very common attack on PHP application. Earlier PHP has magic_quotes_gpc() On by default but now after version 5.3 it will be deprecated. So, whatever security was available due to magic quotes will go after PHP version 5.3. For the attack, attacker need to know a little about your database schema but getting those small details is not difficult, Many times developers output the mysql error or because they did not bothered to catch the error PHP just outputted the error to screen.

SQL Injection attack is very common security vulnerability and it is document at many places. One example explanation can be found here at PHP site itself. Big problem with those sql injection examples are that when you try to see yourself SQL Injection in action, you may find it difficult to reproduce it. In this case, seeing the SQL injection in action is not possible and it is not good for learner who want to see it to believe it. I have complete set of code to see SQL Injection in Action. Hope you will enjoy the code.

Here is code to setup table on your local database:

CREATE TABLE IF NOT EXISTS `user` (
  `id` smallint(5) unsigned NOT NULL AUTO_INCREMENT,
  `user` varchar(255) NOT NULL,
  `password` varchar(255) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=3 ;

Insert Sample data to the table:

INSERT INTO `user` (`id`, `user`, `password`) VALUES
(1, 'Satya', 'Satya'),
(2, 'Prakash', 'Prakash');

Now, your database and table is ready to test SQL injection attack, you need to check, if your magic_quotes_gpc is enabled or not! Check with this code: var_dump(get_magic_quotes_gpc()); If the output is true(1) then you need to disable it first to see SQL Injection in action!
Search for magic_quotes_gpc = On in php.ini, and change it to magic_quotes_gpc = Off. Restart the Apache/IIS.

Now, PHP and MySQL code to test the attack on security.

<?php
// Test SQL injection
// This feature has been DEPRECATED as of PHP 5.3.0
//var_dump(get_magic_quotes_gpc());
mysql_connect('localhost', 'root', 'root') or die('DB Conn error');
mysql_select_db('test');
echo $query = "select * from user where user =  '$_POST[user]' AND password = '$_POST[pass]'";
echo '<br>';
$res = mysql_query($query) ;
if ($res AND mysql_num_rows($res) != 0) {
	while($row = mysql_fetch_assoc($res)) {
		print_r($row);
		echo $row['Ename'] . '<br>' ;
	}
}
else if (!$res) {
	echo 'Error in query' . mysql_error();
}
else if (mysql_num_rows($res) == 0)  {
	echo 'No match.';
}
?>

HTML code to act as a User:

<form method=post action="">
User: <input type=text name="user">
<br />
Password: <input type=text name="pass">
<input type="submit" name="sbumit1">
</form>

In form, I have left the action empty so you can paste the code in a single PHP file. First all PHP code then HTML code. Now, enter these data to see example of SQL Injection. Enter
' or 1=1 or ' in user field and leave the password field empty. Submit the form to see the result. You should get this Output:

output from sql injection attack example

I hope you are not seeing the above output as expected example. So, is this a sql injection attack!

Try with this query in PHP:

echo $query = 'select * from user where user = "' . $_POST[txt1] . '"';

and input as " OR 1=1 or ".

The above was just a test PHP code to demonstrate the SQL injection attack. So, you will find many unnecessary items (echo etc). It will help to visualize the situation well!

Comments are open for an year period. Please, write here on Facebook page.