Search code examples
phpmysqlsql-injectioncode-injection

SQL injection on localhost not working

So I'm trying to design a very simple and vulnerable website to demo how an SQL injection works, but when I attempt an injection with

');SELECT * FROM users;--

I get an error message stating:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT * FROM users;--')' at line 1

Source code is as follows :

welcome1.html:

<form action="test.php" method="get">  
  <div><label for="firstname">First name:  
    <input type="text" name="firstname" id="firstname"/></label>  
  </div>  
  <div><label for="lastname">Last name:  
    <input type="text" name="lastname" id="lastname"/></label></div>  
	<div><label for="email">E-mail : 
    <input type="text" name="email" id="email"/></label></div>  
	<div><label for="password">password:  
    <input type="text" name="password" id="password"/></label></div>  
  <div><input type="submit" value="GO"/></div>  
</form>

test.php:

<html>
<body>
 
 
<?php
$con = @mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect ' . mysql_error());
  }
 
mysql_select_db("accounts", $con);
$firstname = $_GET['firstname'];  
$lastname = $_GET['lastname']; 
$email = $_GET['email'];  
$password = $_GET['password']; 
$sql="INSERT INTO users(firstname, lastname, email, password)
VALUES
('$firstname','$lastname','$email','$password')";



if(!mysql_query("INSERT INTO users(firstname, lastname, email, password) VALUES ('$firstname','$lastname','$email','$password')"))
  {
  die('Error: ' . mysql_error());
  }

echo "1 record added";
 
mysql_close($con)
?>
</body>
</html>

running on WAMP server 3.0.6 on win10 I'm a noob when it comes to html/php if it wasn't obvious thanks

Solution

  • The kind of SQL injection you are attempting will not work with the mysql_query() API. That API doesn't support multi-query, so you can't execute two statements in one call to mysql_query(). It's a syntax error for the SQL to contain any content after the semicolon (;).

    It would work with mysqli_multi_query(). See also http://php.net/manual/en/mysqli.quickstart.multiple-statement.php

    Also with PDO, which IIRC does support multi-query by default in PDO::query().